Add a firewall with Zero Touch using a USB stick

You can deploy Sophos Firewall with Zero Touch using a USB stick.

Zero Touch lets you specify all the firewall settings in a configuration file. You then send that file to another administrator (for example, in a branch office) who can use it to deploy the firewall without entering any more settings.

Requirements

Zero Touch configuration using a USB stick is available for SG, XG, and XGS firewall devices.

The firewall must have DHCP enabled on the WAN port your firewall administrator uses to connect to the internet. New Sophos firewalls have DHCP enabled on WAN Port2 by default.

If you add multiple firewalls, a cache issue may arise, and the process may not work. To prevent this, use a separate private browsing tab to connect each firewall.

What to do in Sophos Central

To add a firewall with Zero Touch, do as follows:

1. Go to My Products > Firewall Management > Firewalls.
2. Click Add Firewall.

3. Under Add firewalls to Sophos Central, click Start Setup.

   

4. Under Add Firewall, enter the serial number of your Sophos Firewall, and click Next.

   

   Claim firewall appears. You see your firewall's serial number and model.

5. Click Next.

   

6. Accept the license agreement and click Continue.

7. Select the name and time zone of the firewall and click Continue.
8. Check the licensed features, opt into the customer experience improvement program if you want to, and click Continue.
9. Configure your LAN settings and enable DHCP if you want to. If you enable DHCP, you must enter a DHCP lease range.
10. Optional: Click Edit Internet Connection to configure your WAN settings, and click Apply. You can cancel or reset these settings if needed.
11. Click Continue.

12. Select your Network protection settings, then click Continue.

    

13. Check your Configuration summary, then click Finish.

    You'll see the Zero Touch configuration options.

    

14. Under Zero Touch configuration, select Administrator applies configuration from USB drive.

15. Optional: Under Central Management auto-approval, select Auto approve for Central management, and click Continue.

    If you don't select this option, you can accept your firewall later in Sophos Central.

16. Click Download to download the light-touch configuration file, then click Next.

    

17. Copy the light-touch configuration file onto a USB stick.

What to do on Sophos Firewall

At the site where the firewall needs to be deployed, the local administrator must do as follows:

1. Connect the firewall to the internet.

2. Plug the USB stick into the firewall device and power it on.

   The firewall detects the Zero Touch configuration file and accepts the internet settings (if any).

Accept the firewall if you didn't select auto approve

1. In Sophos Central, go to My Products > Firewall Management > Firewalls.
2. Search for your firewall's serial number.

3. Click Accept services.

   Once you accept the firewall, the remaining settings are applied. You can now add the firewall to a group and manage it through Sophos Central.

Set your admin password

1. In Sophos Central, go to My Products > Firewall Management > Firewalls.

   You see your firewall is now connected.

2. Click your firewall's name.

   You'll connect to your firewall's web admin console.

3. Go to Administration. Scroll down to Default admin's password settings.

4. Enter and confirm your password, click Apply, then click OK to confirm.

5. At the top left of the screen, click Back to FW Management.

   You're redirected back to Sophos Central firewall management.

Sign into your firewall

Your firewall administrator must do as follows:

1. Type the web admin console address into your browser, followed by port 4444. Example: 172.16.16.16:4444.
2. Sign in to the web admin console using the password you set.

3. Under the System section, go to Sophos Central.

   

   Under Sophos Central registration, the Device status is Registered.

   Under Sophos Central services, the status is Managed.