Skip to content

Add a firewall with Controlled Zero Touch

If your firewalls are on version 19.0 MR1 or later, you can deploy them using Controlled Zero Touch configuration.

You can only use this feature if you've joined the Early Access Program. Contact your Sophos Partner for more information.

Controlled Zero Touch lets you specify all the firewall settings in a configuration file on Sophos Central. Your firewall administrator then connects the firewall to the internet, and the firewall downloads the configuration file, then connects to Sophos Central.

Controlled Zero Touch configuration is available for the hardware appliances (XG, XGS, and SG) that Sophos Central can manage.


The firewall must have DHCP enabled on the WAN port your firewall administrator uses to connect to the internet. New Sophos firewalls have DHCP enabled on WAN Port2 by default.


If you add multiple firewalls, a cache issue may arise, and the process may not work. To prevent this, use a separate private browsing tab for connecting each firewall.

What to do in Sophos Central

In Sophos Central, do as follows:

  1. Go to My Products > Firewall Management > Firewalls.
  2. Click Add Firewall and then click Add a new Firewall.
  3. Enter the serial number of your Sophos Firewall, and click Next.

    Claim firewall appears.

    Claim firewall window.

  4. Click Claim and Continue.

  5. Click Next.
  6. Accept the license agreement and click Continue.
  7. Select the name and time zone of the firewall and click Continue.
  8. Check the licensed features, opt into the customer experience improvement program if you want to, and click Continue.
  9. Configure your LAN settings.
  10. Click Edit Internet Connection to configure your WAN settings.
  11. Click Apply then Continue.
  12. Select your Network protection settings, then click Continue.

    Network protection window.

  13. Check your Configuration summary, then click Finish.

  14. For the zero touch mode, select Firewall downloads configuration from Central, then click Continue.

  15. Select Auto approve for Central management then click Continue.
  16. You'll see information about the firewall deployment steps. Click Finish.

    Firewall deployment steps.

What to do on Sophos Firewall

Your firewall administrator must connect the firewall to the internet on a DHCP-enabled port at the site where you want to deploy the firewall.

If the firewall isn't new (out of the box), the firewall administrator must reset the Sophos Firewall to factory default settings. They can do this from the command line interface as follows:

  1. On the main menu, select option 5, Device management.
  2. On the device management menu, select option 1, Reset to Factory Defaults, then enter yes when prompted. Sophos Firewall restarts.

    For help accessing the command line interface, see Command line help.

The firewall then downloads the Zero Touch configuration file you created on Sophos Central and connects to Sophos Central.

The firewall administrator can sign into the web admin console to see the set-up progress.

Here's an example:

ZeroTouch Setup in progress.

If the firewall can't connect to Sophos Central, the firewall administrator can do as follows:

  • Click Reinitiate ZeroTouch process to try to connect again. If this fails, they can ask the Sophos Central administrator to add the firewall again, or they can restart the firewall.
  • Click Manage firewall locally. They'll need to set up the firewall locally and ask the Sophos Central administrator to add the firewall to Sophos Central once it's up and running.

Access your firewall from Sophos Central

  1. Go to My Products > Firewall Management > Firewalls.
  2. Click your firewall's name.
  3. On the firewall, go to Administration and scroll down to Default admin's password settings.
  4. Enter and confirm your password and click Apply then OK to confirm.

You can now add the firewall to a group and manage it through Sophos Central.


If you don't set an admin password, administrators may have trouble accessing the firewall if it loses its internet connection or is disconnected from Sophos Central.