Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-SDWAN-group-manage

Manage an SD-WAN connection group

You can edit and delete an SD-WAN connection group. You can see the status of the VPN tunnels established among the firewalls in the connection groups.

Edit a connection group

To edit a connection group, do as follows:

  1. Go to My Products > Firewall Management > SD-WAN Connection Groups.
  2. Click the name of the group you want to change.

  3. Use the SD-WAN Connection Group creation assistant to make your changes.

    For example, you can change your resources or delete them.

  4. Click Save.

Delete a connection group

To delete a connection group, do as follows:

  1. Go to My Products > Firewall Management > SD-WAN Connection Groups.

  2. Click the group you want to delete and click the delete icon, Blue delete icon. at the end of the row for the group.

    SD-WAN connection group deletion.

Initiator and responder scenarios

This is how Sophos Central decides which firewalls in the SD-WAN groups are initiators and which are responders.

  • In a hub-and-spoke network, the firewall sharing the resource is the responder.
  • In a full mesh network, if the firewalls share resources, Sophos Central uses their hostnames. It checks their hostnames and allocates the responder role using alphabetical order. For example, if firewall one's hostname is AA_OFFICE and firewall two's hostname is BB_OFFICE, then firewall one is the responder.
  • In networks with multiple hubs, such as full mesh or multi-hub, if both firewalls share resources and have the same hostname, Sophos Central uses their firewall IDs. It checks their firewall IDs and allocates the responder role using alphabetical order. For example, if firewall one's ID is ffb8870c-d04e-4a9f-b3c2-b0d277ba7c26 and firewall two's ID is 2ca74541-ab8b-4e00-b009-17f7101d4861, then firewall two is the responder.
  • In a route-based VPN tunnel, if you've configured a wildcard (*) address in Public IP or FQDN for selected WAN link, the firewall using the wildcard address as the remote gateway address is the responder.

Firewall location and VPN tunnel status

To check your VPN connections, go to My Products > Firewall Management > SD-WAN Connection Groups. This map shows the location of the firewalls and the status of the VPN tunnels.

The status of the VPN tunnels can be as follows:

  • Green: All firewalls in the connection group are active.

    Map showing green status.

  • Orange: At least one firewall in the connection group is inactive.

    Map showing orange status.

  • Red: All firewalls in the connection group are inactive.

To see the location of the firewalls and the status of the VPN tunnels on the map, add the location of the firewalls in a connection group to Sophos Central.

Add the location of a firewall

To add the location of a firewall to Sophos Central, do as follows:

  1. Go to My Products > Firewall Management > Firewalls.
  2. For the firewall whose location you want to add, click More options More options icon., and select Add location.
  3. Enter the Latitude and Longitude of the firewall and click Add.

You can now see the location of the firewalls and the status of the VPN tunnels in the VPN connections map on Firewall Management > SD-WAN Connection Groups.

Edit the location of a firewall

To edit the location of a firewall in Sophos Central, do as follows:

  1. Go to My Products > Firewall Management > Firewalls.
  2. For the firewall whose location you want to edit, click More options More options icon., and select Edit location.
  3. Edit the Latitude and Longitude of the firewall and click Edit.