Skip to content

Add a firewall with Controlled Zero Touch

If your firewalls are on version 19.0 MR1 or later, you can deploy them using Controlled Zero Touch configuration.

Controlled Zero Touch lets you specify all the firewall settings in a configuration file on Sophos Central. Your firewall administrator then connects the firewall to the internet, and the firewall downloads the configuration file, then connects to Sophos Central.

Controlled Zero Touch configuration is available for the hardware appliances (XG, XGS, and SG) that Sophos Central can manage.


The firewall must have DHCP enabled on the WAN port your firewall administrator uses to connect to the internet. New Sophos firewalls have DHCP enabled on WAN Port2 by default.

What to do in Sophos Central Admin

In Sophos Central Admin, do as follows:

  1. Go to Firewall management > Firewalls.
  2. Click Add Firewall and select the option to add a new firewall.
  3. Enter the serial number of your Sophos Firewall, and click Next.
  4. Choose the email address to register the firewall to, and click Register and proceed. You'll see the firewall is successfully registered to that address.
  5. Click Next.
  6. Accept the license agreement and click Continue.
  7. Select the name and time zone of the firewall and click Continue.
  8. Check the licensed features, opt into the customer experience improvement program if needed, then click Continue.
  9. Configure your LAN settings.
  10. Click Edit Internet Connection to configure your WAN settings.
  11. Click Apply then Continue.
  12. Select the following zero touch mode; Firewall downloads configuration from Central, then click Continue.
  13. Select Auto approve for Central management then click Continue.
  14. You'll see information about the firewall deployment steps. Click Finish. Firewall deployment steps

What to do on Sophos Firewall

Your firewall administrator must connect the firewall to the internet on a DHCP-enabled port at the site where you want to deploy the firewall.

If the firewall isn't new (out of the box), the firewall administrator must reset the Sophos Firewall to factory default settings. They can do this from the command line interface as follows:

  1. On the main menu, select option 5 Device management.
  2. On the device management menu, select option 1 Reset to Factory Defaults then enter yes when prompted. The Sophos Firewall restarts.

    For help accessing the command line interface, see Command line help.

The firewall then downloads the Zero Touch configuration file you created on Sophos Central and connects to Sophos Central.

The firewall administrator can sign into the web admin console to see the set-up progress.

Here's an example:

ZeroTouch Setup in progress

If the firewall can't connect to Sophos Central, the firewall administrator can do as follows:

  • Click Reinitiate ZeroTouch process to try and connect again.

    If this fails, they can ask the Sophos Central administrator to add the firewall again, or they can restart the firewall.

  • Click Manage firewall locally. They'll need to set up the firewall locally and ask the Sophos Central administrator to add the firewall to Sophos Central once it's up and running.

Access your firewall from Sophos Central

  1. Go to Firewall management > Firewalls.
  2. Click on the firewall you just configured to access it through Sophos Central.
  3. On the firewall, go to Administration and scroll down to Default admin's password settings.
  4. Enter and confirm your password and click Apply then OK to confirm.

You can now add the firewall to a group, and manage it through Sophos Central.