Firewalls
You can view and configure any Sophos Firewall that can connect to Sophos Central.
Introduction
When you add a firewall to Sophos Central, you can monitor it in Sophos Central and manage it from the firewalls web admin console. See Sophos Firewall Management from Sophos Central.
You can manage firewalls individually or as a group. Firewalls that you manage individually are placed in a group called ungrouped. To manage firewalls, go to Firewall Management > Firewalls.
You can add as many firewalls as you wish in Sophos Central. Sophos Central is cloud based and scales to your needs. For example, if your firewalls produce a large number of logs you can store and report on this data if you've enough licensed capacity. Sophos Central stores firewall log data on a first in first out basis. This means that when your data storage is full we remove your older data first. See Report Hub.
For help with firewalls see:
Firewall information
The information displayed for each firewall includes the following.
Name
Shows your lists of ungrouped and grouped firewalls. To see your firewalls, click the arrow next to the list name.
Note
Ungrouped firewalls are in a list named Ungrouped.
Click the high availability (HA) icon 
next to your firewall name to see the following details about your HA cluster:
- Firewall role in the HA cluster. This can be Primary or Auxiliary.
- Firewall node number. Example: "Node1".
- Firewall node information. Example: "Initial primary. Holds license for customer."
-
Last status change. This is the last time the firewall node changed roles. Example: "Friday, April 14, 2023, 11:42 AM".
Note
The time corresponds to the local time on your browser. This may differ slightly to the time on your firewall.
-
Firewall node name: The name you gave to the firewall node.
- High availability mode: The type of HA cluster the firewalls belong to. Example: "High Availability in Active-Passive mode".
Here's an example of HA details for a firewall.
Note
You can also click the HA icon next to the firewall name to see the HA details when you create a new firewall group, under Available Firewalls and Assigned Firewalls.
Alerts
Alerts in the last 24 hours.
| Icon | Description |
|---|---|
 | CPU usage alert: to see a graph of CPU usage in the last two hours, click the icon. |
 | Management and reporting alert: for more information, click the icon. |
Sync & Management
| Status | Description |
|---|---|
| Synchronized | The firewall is online and sending regular heartbeats. The firewall’s configuration matches the group policy. |
| Connected | If the firewall is ungrouped, this status indicates that the firewall is online and sending regular heartbeats. If the firewall is in a group and this status remains unchanged for more than about a minute, the firewall is online and sending regular heartbeats, but it's not starting to synchronize with the group policy. This may be because the synchronization tasks haven't been created or the tasks have been created, but the firewall isn't pulling them. In this case, look in the tasks queue to find out which transactions are pending. |
| Error needs attention | The firewall's configuration doesn't match the group policy. The admin needs to look in the tasks queue to find out which policy can't be applied. |
| Synchronizing | The firewall has just been added to the group. Sophos Central is applying the group policy to the firewall. |
| Last seen x hours ago (for Sophos Firewall 18.0 or later) or Disconnected | The firewall is offline. |
| Approval Pending | The firewall has been registered with Sophos Central by a local admin from the firewall’s web admin console. It's waiting for approval by a Sophos Central admin. When approved, the firewall is ready for group and individual device management. |
| Management Disabled | The firewall is registered with Sophos Central. However, Sophos Central management hasn't been turned on from the firewall’s web admin console. |
If you click a status, more information is displayed:
| Additional information | Description |
|---|---|
| Missing since x hours | The firewall sends a heartbeat message every minute. If five heartbeat messages are missed, Sophos Central considers the firewall to be offline. |
| Failed to apply a policy x days ago | A policy couldn't be applied to the firewall. The tasks queue may have more details about the reason for the failure. |
| Firewall is suspended. | The firewall has been offline or out of sync with the group policy for more than 30 days. This means that Sophos Central can't discover its current status. To resolve this issue, remove the firewall from the group and re-add it. |
| Central Reporting is Disabled | You can turn on firewall reporting from the firewall’s web admin console. |
Synchronized Security
| Icon | Description |
|---|---|
 | The number of apps discovered by the firewall. |
 | Reporting is turned off. |
 | Reporting is turned on. |
Version
The firewall OS version.
Click a firewall to open the firewall’s web admin console. This lets you configure the firewall.
You must be an Admin or Super Admin in Sophos Central to open the web admin console. This gives you the same permissions as the firewall's local "admin" account. It also lets you change the password for an "admin" account, which is necessary when you deploy firewalls via Zero Touch.
Add a new firewall
To add a new firewall, do as follows:
- Click Add Firewall and select the option to add a new firewall.
-
Register your serial number.
You're guided through registration and deployment.
Add an existing firewall
To add a firewall that is already deployed, do as follows:
- Log in to your firewall.
- On the Central Synchronization page, turn on Manage from Sophos Central.
- In Sophos Central, on the Firewalls page, expand the Ungrouped group, find the firewall, and click Accept services.
Create group
If your firewalls are on firmware version 18.0 or later, you can add them to a group and configure them all simultaneously using a group policy.
You must be an Admin or Super Admin in Sophos Central to create a group.
- Click Create New Group.
-
Select an initial configuration option for your group. Select Use Sophos default to create a new configuration or select Import existing configuration to import the configuration from an existing firewall.
You can customize your configuration later.
-
Enter a name for the group.
-
Assign firewalls to the group.
You don't have to assign firewalls when you create a group. You can create an empty group, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the group policy.
-
Click Save.
Edit group policy
You can edit the policy that will apply to all firewalls in a group.
You must be an Admin or Super Admin in Sophos Central to access your firewalls through Sophos Central.
To edit the policy, do as follows:
- Click the ellipsis button (…) on the right-hand side of the group for which you want to edit the policy.
-
Select Manage Policy.
This takes you to your firewall web admin console, to Rules and Policies.
-
You can now edit your policies.
If a policy refers to firewall zones or interfaces, you may need to create dynamic zones or interfaces.
-
To return to Sophos Central, you can click Dashboard or Back to Overview (on the left-hand menu).
In Sophos Central, go to Firewall Management > Tasks Queue. You can see whether the policy has been applied to the firewalls.
Warning
When you add firewall or NAT rules, the Top and Bottom settings apply only to the ordering of rules within Sophos Central, not rules that may have been created locally on the firewall. All rules pushed from Sophos Central are inserted at the top of the rules list on the firewall. To avoid unexpected firewall behavior, when a firewall is managed from Sophos Central, we recommend that all rules are created and pushed from Sophos Central.
Create subgroup
You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup.
For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.
To create a subgroup, do as follows:
- Click the ellipsis button (…) on the right-hand side of the group in which you want to create a subgroup.
- Select Add a Subgroup.
- Enter a name for the subgroup.
-
Assign firewalls to the subgroup.
You don't have to assign firewalls when you create a subgroup. You can create an empty subgroup, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the subgroup policy.
-
Click Save.
Inheritance of objects and settings by subgroup policies
Objects are pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts.
A a subgroup policy can't change objects you create for a parent group. For example, you create a custom FQDN Host object for the Acme Corporation policy. The Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in the Boston, London, and Hyderabad policies. However, a subgroup policy can use the parent object as a template to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.
If you try to remove an object from a parent group policy, it's automatically removed from subgroup policies if it is not used by any of them. However, if it's used, removal is prevented, and you're informed of the subgroup and rule where the object is used.
Settings are pages in the group policy editor that typically have an Apply button. You can't delete a setting, only configure it and turn it on or off. Examples of settings are Advanced Threat settings.
You can only configure settings in the topmost parent group policy. You can't configure settings in any of the subgroup policies. When you apply a setting to the top parent group policy, it's applied automatically to all the subgroup policies.
Attach a label
You can add a label to your Sophos Firewall. This helps identify your firewall when we send email notifications for various alerts such as when the gateway is up or down.
To add a label to your firewall do as follows:
-
Click the three dots next to your firewall then click Attach a label.
-
A pop-up appears. Enter a name for the firewall label in the dialogue box then click Add.
The firewall label must be different from the firewall name and serial number.
The firewall label appears next to the firewall.
-
To edit or delete the firewall label, click the three dots next to the firewall and click Edit/Delete label.
Upgrade firmware for firewalls
Note
You can only schedule upgrades for a future date and time if your Sophos Firewall is on version 18.0 MR3 or later.
You can upgrade firmware for Sophos Firewall. If an upgrade is available, you'll see a download button 
next to all firewalls eligible for it.
To upgrade a firewall, do as follows:
- Click the download button.
-
Click Schedule Upgrades.
-
If more than one firmware version is available, select the version you want.
-
Choose the date and time of the upgrade.
You can also upgrade the firmware immediately.
-
Click Schedule Upgrades.
Firewalls are updated based on the timezone of the firewall. The upgrade starts at the scheduled time on the firewall. When the upgrade is in progress, you'll see a spinning icon next to the firewall.
When the upgrade is complete, the spinning icon disappears.
You can upgrade multiple firewalls at the same time. You can edit or cancel scheduled upgrades.