Sophos Central Firewall Management – Features with SFOS v18
The first connection between the firewall and Sophos Central was introduced with Synchronized Security. Shortly afterwards, the Sophos Central Firewall Manager followed. However, the feature set of this first version was very limited, which meant the product was only marginally attractive at the beginning. With SFOS v18, the Central Firewall Manager has now been significantly enhanced.
Info: If you would like to learn about all the new features in the upcoming SFOS v18 in detail, you can find my comprehensive post here: Sophos SFOS v18: New Features at a Glance
Central Firewall Management
Personally, I consider Sophos Central Firewall Manager (SCFM) to be a very successful tool. While the current feature set is still fairly limited, Sophos’ underlying vision is impressive. For us, the tool is particularly helpful for maintaining an overview in customer environments with multiple firewalls. On the UTM side, this role is filled by the Sophos UTM Manager (SUM); for SFOS you can additionally use the Sophos Firewall Manager. However, in our view the latter is only suitable to a limited extent. Looking at the evolution of SCFM, it is obvious that the classic Sophos Firewall Manager will be phased out in the medium term.
Let’s take a look at the most important basic features and how to get started with the Central Firewall Manager.
Connecting a firewall
To use firewall management, you need a Sophos Central account. You can create this account free of charge, and the firewall management itself is also free to use. In the firewall backend, you can register with Sophos Central via the “Central synchronization” menu item. The firewall is then linked to Central.
Management
Over time, a list of all the firewalls you have added appears in your Central account. By clicking on a firewall name, you are automatically logged in to that firewall’s backend and can make your configurations as usual. Logging in through Central is noticeably slower than connecting directly to the firewall, but it is much more convenient because no additional login is required. Does the firewall have a dynamic IP address? No problem. Since the firewall establishes the connection to Central, this works reliably.
The features available in Central Firewall Manager depend on the firmware version installed on each firewall. Some features are only unlocked from a specific release onwards.
Firmware updates
In the firewall overview, you can see at a glance which firmware version is installed on each model. With one click on “Upgrade” and then “Upgrade Firmware”, you can roll out the latest available version.
I really cannot emphasise this enough: always click the update button with the utmost care. Prepare an update carefully and find out in advance which changes the new version introduces. We repeatedly see firewall updates being installed too casually. With our firewall maintenance contracts, we take over patch management for your firewalls and help you avoid unpleasant surprises. 😎
Online backup
Using Sophos Central Firewall Manager, you can also create scheduled or manual backups of the firewall configuration. In any case, it is advisable to set up such a backup concept. Up to now, backups could be downloaded manually from the firewall, stored directly on an FTP server, or sent by email.
Despite these options, problems frequently occur in practice when a backup is actually needed. Among other things, we have encountered the following situations at customers:
- The email address to which the backup was sent had not existed for some time – so the backups never reached the inbox.
- Email protection blocked the messages because they were sent from a dynamic IP address or the SPF record was incorrect.
- A backup existed, but the associated password could no longer be recovered.
- A backup existed, but it was already very outdated.
There are certainly many more reasons why a backup can turn out to be unusable in an emergency. Many of these risks are reduced with online backup in Central. You get a central, encrypted storage location for your backups in Sophos Central. There they are always up to date and are immediately available if needed.
New features in v18
The features described above are already available from version 17.5. In the following sections, we will look at the new capabilities that are only added with SFOS v18.
Reporting
In the past, there was a standalone Sophos product for central reporting called iView. Strictly speaking, the software still exists, but in practice we consider a product that has not been developed further for years as discontinued. The fact that Sophos has not yet officially declared it end‑of‑life does not change much. 😅 For us, iView has no future – but its idea lives on in Central Reporting.
If you enable reporting on the firewall, log data is sent to Sophos Central. On this basis, meaningful reports can be generated.
Central Reporting for the firewall is currently still in beta. Even so, the current implementation already gives a very good impression of what you can expect from the final version.
Global firewall settings
In environments with many firewalls, management quickly becomes complex. With around ten firewalls, administration can often still be handled manually, but from around fifty systems it becomes a real challenge. With v18, firewalls can be conveniently grouped in Central.
Within the group policies you have access to a familiar firewall interface where you can define and save central settings. These configurations are then rolled out to all firewalls in the respective group.
This feature is also still in beta and our testing has shown that quite clearly. It is still some distance away from being fully mature, and a number of details have yet to be resolved. In principle, however, we are convinced that the global firewall settings will, in future, provide major support when managing extensive firewall landscapes.
