Skip to content

Firewalls

You can view and configure any Sophos Firewall that can connect to Sophos Central.

Introduction

When you add a firewall to Sophos Central, you can monitor it in Sophos Central and manage it from the firewalls web admin console. See Sophos Firewall Management from Sophos Central.

You can manage firewalls individually or as a group. Firewalls that you manage individually are placed in a group called ungrouped. To manage firewalls, go to Firewall Management > Firewalls.

You can add as many firewalls as you wish in Sophos Central. Sophos Central is cloud based and scales to your needs. For example, if your firewalls produce a large number of logs you can store and report on this data if you've enough licensed capacity. Sophos Central stores firewall log data on a first in first out basis. This means that when your data storage is full we remove your older data first. See Report Hub.

For help with firewalls see:

Firewall information

The information displayed for each firewall includes the following.

Alerts

Alerts in the last 24 hours.

Icon Description
CPU usage alert CPU usage alert: to see a graph of CPU usage in the last two hours, click the icon.
Report alert Management and reporting alert: for more information, click the icon.

Sync & Management

Status Description
Synchronized The firewall is online and sending regular heartbeats. The firewall’s configuration matches the group policy.
Connected If the firewall is ungrouped, this status indicates that the firewall is online and sending regular heartbeats.

If the firewall is in a group and this status remains unchanged for more than about a minute, the firewall is online and sending regular heartbeats, but it's not starting to synchronize with the group policy. This may be because the synchronization tasks haven't been created or the tasks have been created, but the firewall isn't pulling them. In this case, look in the tasks queue to find out which transactions are pending.
Error needs attention The firewall's configuration doesn't match the group policy. The admin needs to look in the tasks queue to find out which policy can't be applied.
Synchronizing The firewall has just been added to the group. Sophos Central is applying the group policy to the firewall.
Last seen x hours ago (for Sophos Firewall 18.0 or later) or Disconnected The firewall is offline.
Approval Pending The firewall has been registered with Sophos Central by a local admin from the firewall’s web admin console. It's waiting for approval by a Sophos Central admin. When approved, the firewall is ready for group and individual device management.
Management Disabled The firewall is registered with Sophos Central. However, Sophos Central management hasn't been turned on from the firewall’s web admin console.

If you click a status, more information is displayed:

Additional information Description
Missing since x hours The firewall sends a heartbeat message every minute. If five heartbeat messages are missed, Sophos Central considers the firewall to be offline.
Failed to apply a policy x days ago A policy couldn't be applied to the firewall. The tasks queue may have more details about the reason for the failure.
Firewall is suspended. The firewall has been offline or out of sync with the group policy for more than 30 days. This means that Sophos Central can't discover its current status. To resolve this issue, remove the firewall from the group and re-add it.
Central Reporting is Disabled You can turn on firewall reporting from the firewall’s web admin console.

Synchronized Security

Icon Description
Apps icon The number of apps discovered by the firewall.
Gray graph icon Reporting is turned off.
Blue graph icon Reporting is turned on.

Version

The firewall OS version.

Click a firewall to open the firewall’s web admin console. This lets you configure the firewall.

You must be an Admin or Super Admin in Sophos Central to open the web admin console. This gives you the same permissions as the firewall's local "admin" account. It also lets you change the password for an "admin" account, which is necessary when you deploy firewalls via Zero Touch.

Add a new firewall

To add a new firewall, do as follows:

  1. Click Add Firewall and select the option to add a new firewall.
  2. Register your serial number.

    You're guided through registration and deployment.

Add an existing firewall

To add a firewall that is already deployed, do as follows:

  1. Log in to your firewall.
  2. On the Central Synchronization page, turn on Manage from Sophos Central.
  3. In Sophos Central, on the Firewalls page, expand the Ungrouped group, find the firewall, and click Accept services.

Create group

If your firewalls are on firmware version 18.0 or later, you can add them to a group and configure them all simultaneously using a group policy.

Restriction

You must be an Admin or Super Admin in Sophos Central to create a group.

  1. Click Create New Group.
  2. Enter a name for the group.
  3. Assign firewalls to the group.

    You don't have to assign firewalls when you create a group. You can create an empty group, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the group policy.

  4. Click Save.

Edit group policy

You can edit the policy that will apply to all firewalls in a group. To do this, do as follows:

  1. Click the ellipsis button (…) on the right-hand side of the group for which you want to edit the policy.
  2. Select Manage Policy.

    This takes you to your firewall web admin console, to Rules and Policies.

  3. You can now edit your policies.

    If a policy refers to firewall zones or interfaces, you may need to create dynamic zones or interfaces.

  4. To return to Sophos Central, you can click Dashboard or Back to Overview (on the left-hand menu).

In Sophos Central, go to Firewall Management > Tasks Queue. You can see whether the policy has been applied to the firewalls.

Warning

When you add firewall or NAT rules, the Top and Bottom settings apply only to the ordering of rules within Sophos Central, not rules that may have been created locally on the firewall. All rules pushed from Sophos Central are inserted at the top of the rules list on the firewall. To avoid unexpected firewall behavior, when a firewall is managed from Sophos Central, we recommend that all rules are created and pushed from Sophos Central.

Create subgroup

You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup.

For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.

To create a subgroup, do as follows:

  1. Click the ellipsis button (…) on the right-hand side of the group in which you want to create a subgroup.
  2. Select Add a Subgroup.
  3. Enter a name for the subgroup.
  4. Assign firewalls to the subgroup.

    You don't have to assign firewalls when you create a subgroup. You can create an empty subgroup, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the subgroup policy.

  5. Click Save.

Inheritance of objects and settings by subgroup policies

Objects are pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts.

A a subgroup policy can't change objects you create for a parent group. For example, you create a custom FQDN Host object for the Acme Corporation policy. The Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in the Boston, London, and Hyderabad policies. However, a subgroup policy can use the parent object as a template to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.

If you try to remove an object from a parent group policy, it's automatically removed from subgroup policies if it is not used by any of them. However, if it's used, removal is prevented, and you're informed of the subgroup and rule where the object is used.

Settings are pages in the group policy editor that typically have an Apply button. You can't delete a setting, only configure it and turn it on or off. Examples of settings are Advanced Threat settings.

You can only configure settings in the topmost parent group policy. You can't configure settings in any of the subgroup policies. When you apply a setting to the top parent group policy, it's applied automatically to all the subgroup policies.

Attach a label

You can add a label to your Sophos Firewall. This helps identify your firewall when we send email notifications for various alerts such as when the gateway is up or down.

To add a label to your firewall do as follows:

  1. Click the three dots next to your firewall then click Attach a label.

    Attach firewall label

  2. A pop-up appears. Enter a name for the firewall label in the dialogue box then click Add.

    Name firewall label

    The firewall label must be different from the firewall name and serial number.

    The firewall label appears next to the firewall.

    Show firewall label

  3. To edit or delete the firewall label, click the three dots next to the firewall and click Edit/Delete label.

    Edit or delete firewall label

Upgrade firmware for firewalls

Note

You can only schedule upgrades for a future date and time if your Sophos Firewall is on version 18.0 MR3 or later.

You can upgrade firmware for Sophos Firewall. If an upgrade is available, you'll see a download button Download button next to all firewalls eligible for it.

To upgrade a firewall, do as follows:

  1. Click the download button.
  2. Click Schedule Upgrades.

    Schedule a firewall upgrade

  3. If more than one firmware version is available, select the version you want.

  4. Choose the date and time of the upgrade.

    You can also upgrade the firmware immediately.

  5. Click Schedule Upgrades.

    Schedule Upgrade button

    Firewalls are updated based on the timezone of the firewall. The upgrade starts at the scheduled time on the firewall. When the upgrade is in progress, you'll see a spinning icon next to the firewall.

    Spinning icon

    When the upgrade is complete, the spinning icon disappears.

You can upgrade multiple firewalls at the same time. You can edit or cancel scheduled upgrades.

Back to top