Managing Sophos Firewall in

Sophos Central

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW8505: Managing Sophos Firewall in Sophos Central

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Managing Sophos Firewall in Sophos Central - 1

 Managing Sophos Firewall in Sophos Central
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to manage Sophos Firewalls in ✓ Navigating and managing Sophos Firewall using the
Sophos Central, including WebAdmin
creating and managing groups, ✓ Using Sophos Central as a cloud management
solution
VPN orchestration, and
managing backups and firmware
updates.

DURATION

10 minutes

In this chapter you will learn how to manage Sophos Firewalls in Sophos Central, including creating
and managing groups, VPN orchestration, and managing backups and firmware updates.

Managing Sophos Firewall in Sophos Central - 2

 Central Firewall Management Overview

Remotely access the web admin of managed Sophos Firewalls

Manage configuration of groups of Sophos Firewalls

No additional license required for basic management

You can enable management of Sophos Firewall in Sophos Central, this allows you to access the
web admin from anywhere without needing to enable access for the external networks.

If you have multiple Sophos Firewalls you can also create groups and centrally manage the
configuration.

This powerful functionality will be included with your Sophos Firewall, so no additional Sophos
Central license will be required.

Managing Sophos Firewall in Sophos Central - 3

 Enabling Central Management on Sophos Firewall

SYSTEM > Sophos Central

To start managing a Sophos Firewall in Sophos Central, the Sophos Firewall needs to be registered
with Sophos Central and the option Manage from Sophos Central must be enabled in Sophos
Central services. This can be found in SYSTEM > Sophos Central.

Managing Sophos Firewall in Sophos Central - 4

 Accepting Management in Central

Firewall Management > MANAGE > Firewalls

Once you have enabled Central management on Sophos Firewall you need to login to Sophos
Central and accept the management services in Firewall Management > MANAGE> Firewalls.

Managing Sophos Firewall in Sophos Central - 5

 Managing a Single Firewall

You can now add a label to the Sophos Firewall to help you identify it and manage your firewall.

Managing Sophos Firewall in Sophos Central - 6

 Managing a Single Firewall

Real-time access to the WebAdmin of

managed Sophos Firewalls

By selecting to Manage Firewall you are logged into the web admin of the Sophos Firewall as the
admin user. This provides real-time access to the WebAdmin from anywhere without having to
enable access on the WAN zone. The only way that you can tell it is not the local WebAdmin is the
URL and the option to go back to firewall management in Sophos Central.

Managing Sophos Firewall in Sophos Central - 7

 Firewall Groups

Firewalls can also be grouped to simplify management. Here you can see a firewall that has not
been added to a group yet in the ‘Ungrouped’ section, and a firewall in the ‘UK Firewalls’ group.

Managing Sophos Firewall in Sophos Central - 8

 Creating Groups

Sophos Firewalls are not assigned a group by default, so you can either edit an existing group to
add them or create a new group.

When you create a new firewall group in Sophos Central, you can choose to import an existing
configuration from a managed firewall or use the Sophos default configuration for that group.

Managing Sophos Firewall in Sophos Central - 9

 Central Managed Sophos Firewall

Once a Sophos Firewall has been added to a group and synchronized, a banner message will be
displayed warning you that local changes to configuration may result in a conflict.

Managing Sophos Firewall in Sophos Central - 10

 Managing Group Policies

To manage the configuration select Manage Policy from the menu for the group. You can create
and configure a group before you start adding the Sophos Firewalls to it.

Managing Sophos Firewall in Sophos Central - 11

 Managing Group Policies

Local rules on Sophos Firewall are only overwritten when a rule with the same
name is created in Sophos Central

Here you can see that the configuration looks the same as in the web admin.

When creating new firewall rules, note that local rules on the Sophos Firewall are only overwritten
when a rule with the same name is created in Sophos Central. Rules created locally on the Sophos
Firewall do not appear here and are not managed or removed.

Managing Sophos Firewall in Sophos Central - 12

 Dynamic Objects

You can create dynamic objects in Central Firewall Management to make it possible to create
configurations that will work across devices where there is variation in how they are setup. You can
create dynamic objects for zones and interfaces.

In the example here, we are creating a dynamic zone called Development. By default, this maps to
a zone called Development, but this is overridden for lon-gw1.sophos.www, where it will map to a
zone called Dev.

Managing Sophos Firewall in Sophos Central - 13

 Dynamic Objects

Here is an example where the dynamic zone object is being used in a firewall rule in Central
Firewall Management.

Managing Sophos Firewall in Sophos Central - 14

 Dynamic Objects

By clicking the Usage References, you can see which groups are using the dynamic object, and
where in the policy configuration.

Managing Sophos Firewall in Sophos Central - 15

 VPN Orchestration

SOPHOS
CENTRAL

Configuration Configuration
SOPHOS SOPHOS
FIREWALL FIREWALL

VPN Connection

• Firewalls require a license with Central Orchestration

• Firewalls must be v18.5 MR 1 or later
• You need at least two firewalls
• Firewalls that are in an SD-WAN connection group can’t be used in other
connection groups

You can configure a VPN orchestrated SD-WAN network in Sophos Central using SD-WAN
connection groups. Before you create your connection groups, you need to know the following:
• You must choose firewalls with a Central Orchestration license and running Sophos Firewall 18.5
MR1 or later.
• To create a connection group, you need to choose at least two firewalls.
• Firewalls that are in an SD-WAN connection group can't be used in other connection groups

Managing Sophos Firewall in Sophos Central - 16

 1/7
SD-WAN Connection Groups

The connection of SD-WAN connection groups is done in broadly three steps:

• Select the firewalls
• Define the resources that should be accessible over the VPNs
• Select the local networks that will take part in the VPN orchestration

To get started creating a new connection group, enter a name for the group and select the firewalls
you want to use. You need to select at least two firewalls.

Managing Sophos Firewall in Sophos Central - 17

 2/7
SD-WAN Connection Groups

Next, you add your resources. You can add multiple resources and you can also edit any resources
that you added earlier.

For each resource you want to add:

• Select the firewall with the resource that you want to share across the group
• Enter the IP address or network range of the resource you want to share
• And choose the service type and ports. Resources can be TCP, UDP, IP, or ICMP

Managing Sophos Firewall in Sophos Central - 18

 3/6
SD-WAN Connection Groups

You can optionally also select to turn on ‘Automatically create firewall rules’. When you do this,
there are additional options that allow you to limit access to authenticated users and enable and
configure Synchronized Security.

Managing Sophos Firewall in Sophos Central - 19

 4/7
SD-WAN Connection Groups

For each of the firewalls in the group, you need to select the local networks that will be allowed to
access the shared resources in the groups.

If there are any conflicts they will be highlighted on this page and will need to be resolved before
you can proceed.

Managing Sophos Firewall in Sophos Central - 20

 5/7
SD-WAN Connection Groups

To resolve issues, you can enable or disable subnets, attach NAT addresses to existing subnets, and
attach custom networks to the firewall.

You can also:

• Choose a WAN link.
• Choose a backup gateway.
• Change the XFRM interface IP addresses.
• And override a gateway address.

For example, you can fix a name conflict by renaming. Or you can fix subnet conflicts by choosing
NAT. Or you can override the gateway address to fix a conflict.

Managing Sophos Firewall in Sophos Central - 21

 6/7
SD-WAN Connection Groups

Here you can see that the SD-WAN connection group has ben created and the firewalls configured.

Managing Sophos Firewall in Sophos Central - 22

 7/7
SD-WAN Connection Groups

If you login to one of the firewalls you can see the VPN connection that has been created.

Managing Sophos Firewall in Sophos Central - 23

 Task Queue

When you make a change to the configuration a new task is created, and you can see which
Sophos Firewalls it is being applied to and track the progress.

Managing Sophos Firewall in Sophos Central - 24

 Tsk Queue

By clicking on the status link for a gateway you can see the JSON for the configuration changes that
are being made on the firewall.

Managing Sophos Firewall in Sophos Central - 25

 Schedule Firmware

Firmware updates can be applied to groups of firewalls. All firewalls in the group that need a
firmware update will be displayed in the list and you can select the ones to be updated. Updates
can either be applied immediately or based on a schedule.

Managing Sophos Firewall in Sophos Central - 26

 Backups

You can schedule firewalls to save backups to Sophos Central daily, weekly, or monthly. Note that
backups take place at 8am.

You also need to add which firewalls you want the backup schedule to apply to.

Managing Sophos Firewall in Sophos Central - 27

 Backups

Pinned backup

Sophos Central will store the five most recent backups for each device. If you want to keep one
backup permanently you can pin it. You can only have one pinned backup per device, and if there is
already a pinned backup it will be replaced.

You can also choose to manually start a backup for the selected firewall immediately by clicking
Generate Backup.

Managing Sophos Firewall in Sophos Central - 28

 Simulation: Manage Sophos Firewall in Sophos Central

In this simulation you will add a

Sophos Firewall to Sophos Central,
assign it to a group, and push
configuration changes to the
firewall, including using VPN
orchestration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CentralManagement/1/start.html

In this simulation you will add a Sophos Firewall to Sophos Central, assign it to a group, and push
configuration changes to the firewall, including using VPN orchestration.

[Additional Information]

https://training.sophos.com/fw/simulation/CentralManagement/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 29

 Zero-Touch Deployment
Create Configuration Send Configuration Create USB Boot Sophos with USB

Use the setup wizard in Optionally, email the Copy the configuration to a Plug the USB drive into the
Sophos Central configuration to another USB drive Sophos Firewall and start it
location up

Zero-touch configuration files can only be created for unregistered hardware serial numbers

Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. An administrator can add the new
firewall in Central and step through the initial setup wizard before the Sophos device is installed.
They can then download the configuration or email it to another location, so it can be copied to a
USB stick.

The stick is then plugged into the Sophos Firewall device when it is first fired up, setting its initial
configuration, after which it can be fully managed from Sophos Central. For power users, the config
file can be edited and customized further.

Zero-touch configuration files can only be created for unregistered hardware serial numbers.

Managing Sophos Firewall in Sophos Central - 30

 Chapter Review

All licenses include Central Management for Sophos Firewall, including; real-time remote
access to the web admin, scheduling of firmware updates and backups, firewall
configuration management using groups

You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-
WAN connection groups. This requires Central Orchestration as part of the license

Zero-touch deployment enables even a non-technical person to connect and configure a

remote Sophos Firewall and get it connected into Sophos Central. Zero-touch
configuration files can only be created for unregistered hardware serial numbers

Here are the three main things you learned in this chapter.

All licenses include Central Management for Sophos Firewall, including; real-time remote access to
the web admin, scheduling of firmware updates and backups, firewall configuration management
using groups.

You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN
connection groups. This requires Central Orchestration as part of the license.

Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only
be created for unregistered hardware serial numbers.

Managing Sophos Firewall in Sophos Central - 35

Managing Sophos Firewall in Sophos Central - 36