Since Sophos Firewall version 19.5 MR3 it is possible to use the Sophos ZTNA Gateway on the Sophos Firewall. The solution is really great and simple, but there is a catch, which there is to consider (15 GB).
ZTNA Gateway (Cloud vs. On-premise)
The ZTNA Gateway is required to use Zero Trust. There are two different deployment modes: the on-premise gateway and the Sophos Cloud Gateway.
On-premise gateway: This mode allows direct and fast data connection without restrictions by installing the gateways in the company’s own data center or on a hypervisor within the company itself. Although it provides greater control over the infrastructure, it also requires increased management overhead, as firewall ports must be opened and NAT rules must be created.
Sophos Cloud Gateway: In contrast, Sophos Cloud Gateway provides secure and isolated network deployment through the use of a Sophos Cloud. This mode guarantees 99.999% availability and allows users to easily connect to applications without the need to open firewall ports or create NAT rules. One drawback, however, is the traffic limit of 15 GB per user per month, which can be reached quickly when used for network drives.
There is no wrong decision here, because you always have the option to switch to the other method with relatively little effort.
ZTNA Cloud Gateway on Sophos Firewall
The SFOS v19.5 MR3 update integrates the ZTNA Cloud Gateway with the Sophos Firewall. This greatly simplifies the implementation of ZTNA, as a separate ZTNA Gateway VM is no longer required. The firewall now assumes the role of the ZTNA gateway, eliminating the need for hypervisor hosts and enabling rapid startup within minutes. Of course, if you have a firewall HA cluster, the ZTNA gateway is also highly available. Both the hardware appliance and the software solution can be used as a ZTNA gateway.
This limitation is certainly not a disadvantage, but you should keep it in mind and plan for which applications you want to use ZTNA.
With the cloud gateway, data traffic runs through a data center, which incurs traffic costs on the part of Sophos. Therefore, a limit of 15 GB per user per month was defined. If multiple users are licensed, the limit is aggregated across all users. So if you have data-hungry applications, the on-premise method is probably the better one.
No additional budget is required to use the ZTNA Gateway on the Sophos Firewall. The ZTNA Gateways are free of charge regardless of the deployment situation and do not require a license. Only the users who use the service must be licensed per user.
For those who want to test the ZTNA gateway on the Sophos Firewall or even the on-premise gateway, here are a few helpful links to get you started: