When the new licensing model for SFOS was introduced, Central Orchestration was heard about for the first time. At that time (April 21) it was not yet ready, but is now available with SFOS 18.5 MR1. A license for Central Orchestration is already included in the Xstream Protection Bundle. But you can also buy the license separately.
In general, however, it can be said that Central Orchestration is not very useful with only one firewall. In the next section, I explain why.
One of two new features in Central Orchestration is SD-WAN. Setting up a site-to-site VPN connection is not difficult and in most cases can be done in under 10 minutes. It gets exhausting when you have to connect four or more firewalls together. Central Orchestration creates the necessary connections and firewall rules for you in a few seconds with just a few clicks.
Requirements on all firewalls
The following requirements would have to be met on all firewalls if you want to use the SD-WAN feature:
- SFOS v18.5 MR1 or higher
- Central Management activated
- Central Orchestration License
Central Firewall Reporting Advanced
The new Central Orchestration license also includes all the features of the Central Firewall Reporting Advanced license. The only difference is that the data is stored on Sophos Central for 30 days, not 365 days. If you do need 365 days, you must order the Central Firewall Reporting Advanced license separately.
By storing the firewall logs on Central, you can have online reports generated on one or more firewalls at the same time. With the XDR/MTR connector, data from the firewall is then also stored in the data lake and can be queried in the Threat Analysis Center with Live Discover with a valid XDR license. For customers with an active Managed Threat Response Advanced license, this data is also available to the MTR team, further increasing visibility across the network.
What Sophos Central Firewall features are coming next?
Two additional features will be added to Central Orchestration in the coming months:
- Support of multiple WAN connections: Thus one has a redundant VPN connection over two WAN connections.
- Enhanced support for NAT’d firewalls: If the firewall is behind another NAT device, the SD-WAN setup does not currently work. However, this should also be possible soon.
But also the Central Firewall Manager gets further renewals:
- Pinning firewall rules
- Improvements in backups and alerts
- Management APIs
- Support for AWS regions
- Usability improvements