If a firewall has been offline or out of sync with the group policy for more than 30 days, it's suspended.
If the suspended firewall isn't in a group, it doesn't need to be synchronized, because it doesn't get group policies. To unsuspend the firewall, you must reconnect the firewall to Sophos Central. To do this, make sure your firewall is turned on and working as expected.
If you add the firewall to a group while it's suspended, it won't get any group policies. You must reconnect the firewall to Sophos Central to get group policies.
Firewall suspended and connected
If a grouped firewall is suspended but connected to Sophos Central, you can force it to resynchronize. To do this, in Sophos Central, go to My Products > Firewall Management > Firewalls, click the arrow next to the firewall group list, and click the alert in the Sync & Management column.
Click the Force Sync link.
To check the synchronization status, go to Tasks Queue.
The firewall synchronizes with Sophos Central and gets the group policies.
Firewall suspended and not connected
If a grouped firewall is suspended and not connected to Sophos Central, you must reconnect the firewall to Sophos Central before you can synchronize. The Force Sync link only shows after you reconnect.
Suspended high-availability firewalls
If firewalls are in a high-availability pair, the Force Sync link is only available on the primary firewall.
Suspended SD-WAN firewalls
You can't add suspended firewalls to SD-WAN connection groups.
If a suspended firewall is already in an SD-WAN group, it remains in the group but doesn't get group policies. You must ensure the firewall is connected and synchronized to get group policies.