Control center

The control center appears as soon as you sign in.

The control center provides a single screen snapshot of the state and health of the security system.

System panel

The system panel displays the real-time state of the services of XG Firewall, VPN connections, WAN links and performance as well as number of days since the device is up and running. The status is displayed as an icon. Colored icons are used to differentiate statuses. Click the icon to see detailed information of the services.

The icons and their various status are:

Performance widget
Icon Status
Normal

Load average is less than 2 units.

Warning

Load average is between 2 to 5 units.

Alert

Load average more than 5 units.

Unknown
Click the icon to see the load average graph.

Load average is a measure of the average number of processes waiting for execution time on a CPU. Any number greater than the number of processor cores in the system indicates that, during the time period being measured (for example, 5 minutes), there was generally more work to do than the system was capable of doing.

Services widget
Icon Status
Normal

All the services are running.

Warning

One or more services has been explicitly stopped by the administrator. You can restart services from System services > Services.

Alert

One or more services is not running.

You can restart services from Services .

Unknown
On clicking the icon, the services that are stopped or dead are displayed.
Interfaces widget
Icon Status
Normal

All the WAN links are up.

Warning

50% or less WAN links are down.

Alert

50% or more WAN links are down.

Unknown
Click the icon to see details of the WAN links.
VPN connections widget
Icon Status
Normal

All the VPN tunnels are UP.

Warning

50% or less VPN tunnels are DOWN.

Alert

50% or more VPN tunnels are DOWN.

Unknown
Click the icon to see details of the VPN tunnels.
CPU widget

CPU graphs allow administrator to monitor the CPU usage by users and system components. Maximum and average CPU usage is also displayed when you click on the widget.

X-axis – Hours/weeks/months/year (depending on the selected option)

Y-axis – Percentage of use

Click the widget to view details.

Memory widget

Memory graphs allow you to monitor the memory usage in percentage. The graphs display the memory used, free memory, and total memory available. In addition, the graphs show the maximum and average memory usage.

X-axis – selected

Y-axis – Percentage of use

Click the widget to view details.

Bandwidth widget

The graph displays the total data transfer through the WAN zone. In addition, it shows the maximum and average data transfer.

X-axis – Hours/days/months/year (depending on the option selected)

Y-axis – Total data transfer in Kbits/second

Click the widget to view details.

Sessions widget

The graph displays current sessions of XG Firewall. It also displays the maximum and average live connections.

Click the widget to view details.

High availability (HA) details

Displays HA mode configured as below.

A-A : When XG Firewall is configured in active-active mode.

A-P (M) : When XG Firewall is configured in active-passive mode and is acting as primary device.

A-P (S) : When XG Firewall is configured in active-passive mode and is acting as auxiliary device.

Traffic insight panel

The section provides statistics related to network traffic processed by your XG Firewall in the last 24 hours. The at a glance information helps find out who is consuming the most bandwidth, unusual traffic patterns, and most-visited websites and applications.

The statistics is displayed as bar graphs:

  • Web activity - The graph provides the user data transfer information over the last 24 hours, which helps in understanding the web surfing trend. It also displays the maximum and average amount of data transferred, in bytes, over the last 24 hours, which helps you spot unusual traffic patterns, if any. For example, if the graph displays a peak level at a certain point of time, it means the maximum amount of data transfer was done over that time period.
  • Allowed app categories - The graph displays the amount of data transferred, in bytes, for top five application categories. This information provides an administrator at a glance view of the most-used applications in the last 24 hours, which in turn helps you identify which applications consume the most bandwidth. Clicking on the bar of a particular application category in the graph will redirect you to the filtered application report of that category.
  • Network attacks - The graph lists top five hosts that were denied access to the network due to health reasons. Clicking on the bar of a particular attack category in the graph will redirect you to the filtered report of that category.
  • Allowed web categories - The graph displays the amount of data transferred, in bytes, for top five web categories. This information provides an administrator at a glance view of the most-visited websites in the last 24 hours, which in turn helps you identify which websites consume the most bandwidth. Clicking on the bar of a particular web category in the graph will redirect you to the filtered report of that category.
  • Blocked app categories - The graph displays top five denied application categories along with number of hits per category. This way an administrator gets to know about the applications with the most number of failed access attempts. Clicking on the bar of a particular application category in the graph will redirect you to the filtered application report of that category.

User & device insights panel

Security Heartbeat widget

Security Heartbeat widget provides the health status of all endpoint devices. An endpoint device is an internet-capable computer hardware device connected to Sophos XG Firewall via Sophos Central. The endpoint sends a heartbeat signal at regular intervals and also informs about potential threats to the Sophos XG Firewall.

If Security Heartbeat is not configured, a Configure button appears on the control center.

The health status of endpoint can be red, yellow, or green:
  • Red labeled “At risk” - Active malware detected.
  • Yellow labeled “Warning” - Inactive malware detected.
  • Green (no label) - No malware detected.
  • Red labeled “Missing” - Endpoints not sending health status information but causing network traffic.

Once Security Heartbeat is configured, the endpoints are classified in any of the four statuses. The Security Heartbeat widget shows the total number of endpoints for each status.

Select the widget to see all the endpoints, their user, hostname, IP address, and elapsed time since the status change. You can select to display all or just certain endpoints based on their health status.

The detailed view doesn't show endpoint details if all connected endpoints are in green status.

Sandstorm widget

Sophos Sandstorm is a cloud-based service that provides enhanced protection against malware. You can configure the firewall to send suspicious downloads to Sandstorm for analysis. Sandstorm detonates files to check for ransomware and other advanced threats. Because the analysis takes place in the cloud, your system is never exposed to potential threats.

Sandstorm requires a subscription. Click the link to start your free 30-day evaluation.

When Sandstorm is enabled, users will be prevented from downloading files that match the firewall criteria until the analysis is complete.

The Sandstorm widget displays analysis results for web traffic and email. Click the widget to view Sandstorm activity details.

ATP widget

The ATP (advanced threat protection) widget provides a snapshot of advanced threats detected in your network. ATP can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the respective traffic.

Once configured, the widget will have either of the two statuses:
Icon Status
Normal

No threats detected.

Alert

It displays number of sources blocked. Clicking on it gives details like hostname/IP of the source, threat and count.

UTQ widget

The widget displays the user threat quotient (UTQ) status of an organization aggregated for the last seven days. This helps you to get quick visibility of risky users, if any, who are posing security threats to the organization’s network.

Possible UTQ statuses:
Icon Status
There are no users with risky web surfing behavior or using infected hosts that are part of botnet.
There are 13 users who are accounting for 80% of overall risk posed to the organization’s network. Note that the number 13 here is just an example. Click on this icon to see the UTQ reports for last seven days.
RED widget

The widget displays the number of RED tunnels established and total number of RED tunnels configured in the form of 4/8. Click the widget to view a list of RED tunnels.

Wireless APs widget

The widget displays active access points (AP) and the total number of access points configured in the form of 2/3. Pending access points, if any, will be displayed separately in a bracket in red color. Click the widget to be redirected to the Access points page.

Connected remote users widget

The widget displays the total number of users connected remotely through SSL VPN. Click the widget to be redirected to the Remote users page.

Live users widget

The widget displays the total amount of live users. Click the widget to be redirected to the Live users page.

Active firewall rules panel

Active firewall rules panel displays information which can be used by the administrator to visualize and quantify (in terms of data volume) the firewall rules configured on the device. Using this information, the administrator can fine-tune the deployed firewall rules to troubleshoot or enhance network performance. All active firewall rules will be visible irrespective of the rights pertaining to the logged-on administrator profile.

Firewall rule types

The widget displays the number of firewall rules which are being used to process the network traffic, based on the following rule types:

  • Business - Displays the number of active business application firewall rules
  • User - Displays the number of active user application firewall rules
  • Network - Displays the number of active network firewall rules

Total - Displays the total number of active firewall rules.

The chart displays the volume of data (in bytes) processed by each active firewall rule type, in the last 24 hours. Hover over the chart area to see the volume of data processed by the active firewall rule type. Firewall rule type is easily recognizable, based on the following legends:

Business - Represented by green area on the chart

User - Represented by red area on the chart

Network - Represented by blue area on the chart

Use the information in the chart area to determine the network saturation status and identify specific firewall rule type causing this.

Firewall rule status

The number of firewall rules, as per their current statuses are also displayed within the same widget. This is mainly for admin housekeeping purposes, also useful, where multiple administrators are working on the same device. The current statuses are based on the following categories or filters:

  • Unused - Displays the number of firewall rules which do not process any traffic. You may want to revise unused firewall rules or delete them completely.
  • Disabled - Displays the number of firewall rules which are configured but disabled.
  • Changed - Displays the number of firewall rules which have been recently updated.
  • New - Displays the number of newly created firewall rules.

    Clicking any of the firewall rule types or firewall rule statuses redirects you to the Firewall page displaying the relevant firewall rules.

Reports panel

Not applicable to - CR10iNG, CR10wiNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR15iNG-LE, CR15iNG-4P, CR15wiNG-4P, XG85 and XG85w models.

Depending on the modules subscribed, at most five critical reports from the below mentioned table are displayed:

Report name Number/data displayed Subscription module
High risk applications <number of> risky apps seen yesterday Web Protection
Objectionable websites <number of> objectionable websites seen yesterday Web Protection
Web users <data transfer> (in bytes) used by top 10 users yesterday Web Protection
Intrusion attacks <number of> intrusion attacks yesterday Network Protection
Web server protection <number of> web server attacks yesterday Web Server Protection
Email usage <data transfer> (in bytes) used Email Protection
Email protection <number of> spam mails yesterday Email Protection
Traffic dashboard - Either Web Protection or Network Protection
Security dashboard - Either Web Protection or Network Protection

Prevalent malware panel

Applicable to CR15iNG, CR15wiNG, CR15i and CR15wi models only

Displays top five malware identified by XG Firewall, in addition to the number of occurrences per malware.

Messages panel

The panel displays information which allows you to monitor and track the system events of the device. Each message displays the date and time that the event occurred.

Displays following alerts:
  1. The default password for the “admin” user has not been changed. We highly recommend you to change the password. – This alert is displayed when default password for super administrator is not changed.
  2. The default the web admin console password has not been changed.
  3. HTTPS, SSH based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
  4. HTTP, Telnet-based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
  5. Your XG Firewall is not registered.
  6. The modules expired.

Symbolic representations are used for easier identification of messages.

: Indicates alert messages.

: Indicates warnings.

: Indicates firmware download notifications.

Connections and interfaces

The image of XG Firewall will be displayed in this panel on the right side. For a virtual device, a stack of XG Firewall devices will be displayed.

Interfaces table

This table displays information of interfaces including their name, type, and status, received and transmitted Kbits/s.

Displays following details:
  1. Interface - This displays the name of the interface configured in the system. Example Port A, Guest AP. It displays physical, LAG, and bridge type of interfaces.
  2. Type - This displays the zone along with the type of interface configured. Example LAN-Physical, WAN-VLAN etc.
  3. Status - This displays the status and the interface speed for the configured interface. Status can be connected, unplugged, disconnected, connecting, enabled, or disabled (for RED interface only).
  4. Received Kbits/s - This displays the received bits through the interface.
  5. Transmitted Kbits/s - This displays the transmitted bits through the interface.

Gateway table

This table displays information of gateways which allows you to monitor active and backup gateways describing their name, interface, type, IPv4/IPv6, activate on failure of, weight, and status.

Displays following details:
  1. Gateway name - This displays the name of the gateway.
  2. Interface - This displays the name and IP address of the interface.
  3. Type - This displays the type of the gateway in terms of load balancing. Available options are active and backup.
  4. IPv4/IPv6 - This displays the type of the gateway in terms of IP addressing type used. Available options are IPv4 and IPv6.
  5. Activate on failure of - This displays the action for the gateway failure situation, that is, whether a backup gateway will be activated or not.
  6. Weight - This displays that how much traffic will pass through a particular link in relation to the other link(s).
  7. Status - This displays the status of the gateway. Status can be active, inactive.