Skip to content
Avanet

Connect Sophos Firewall with Sophos Central

A Sophos Firewall does not necessarily need to be connected to Sophos Central. A single firewall can be fully managed locally via WebAdmin. However, connecting to Sophos Central is beneficial in many environments as it provides additional management, backup, reporting, and security features.

This article helps in deciding when Sophos Central is useful and when local management suffices.

Quick Answer

If you are operating only a single Sophos Firewall locally and do not wish to use Central features, Sophos Central is not strictly necessary.

If you manage multiple firewalls, want to centrally analyze log data, store configuration backups in the cloud, or use other Sophos products like Sophos Endpoint, Sophos Central offers significant advantages.

The decision should not just be: connect or not connect. More important is which Central features should actually be activated. A firewall can be registered in Sophos Central without every management, reporting, or backup function being actively used.

Advantages of Connecting with Sophos Central

Central Overview

In Sophos Central, you can view registered firewalls centrally in one place. This is particularly helpful when managing multiple locations or appliances of the same organization.

Typical advantages:

  • Status overview of the firewalls
  • Serial numbers and license information
  • Firmware and security status
  • Central reports
  • Quick switching between multiple firewalls

Management via Sophos Central

With Manage from Sophos Central, you can access firewall management through Sophos Central. This is often more secure than publishing the WebAdmin Console directly from the internet.

However, management access does not replace a proper admin strategy. Admin accounts, MFA, roles, Device Access, and ACL rules must still be consciously configured. According to Sophos, Central Firewall Management also requires an active paid subscription other than Base Firewall or an active support contract.

One technical point is often overlooked: Sophos Central can only manage firewalls if the firewall reaches the internet over IPv4. In IPv6-only or very strictly segmented environments, this path must be checked before activation.

If changes via Central do not arrive on the firewall as expected, you should also check the Sophos Central Firewall Management Task Queue. There you can see if group policies or API-based firewall tasks are pending, failed, or skipped.

Limits of Central Firewall Management

Central Firewall Management is an additional management path, but not a full replacement for local firewall administration, local logs, and tested emergency access. Especially with several admins, firewall groups, and HA clusters, admins should know the key limits so normal platform behaviour is not mistaken for a configuration error.

  • Two admins open the same firewall through Sophos Central: Only one Central Manager session per firewall can be active. If a second admin takes over, the first may see a loading or connection error.
  • Read-only or helpdesk role does not see grouped firewalls: For firewalls in Central groups, read permissions can behave differently than expected. Test operational roles with a test account.
  • HA pairs appear unexpectedly twice or on several pages in Central: This can be a display or pagination issue. For decisions, also check the local HA status on the firewall.
  • Firewall rules cannot be moved at group level as they can locally: Not every local WebAdmin action is represented the same way in Central groups. Rule order and effect must be validated locally after group changes.
  • Imported groups or WAF rules behave unexpectedly in Central: After a configuration import, full sync, or WAF rule import, check not only the Central view but also the target firewall and the Task Queue.

For production environments this means: Sophos Central is the coordination point, but the firewall remains the place where critical effects are validated. After group changes, firmware tasks, WAF adjustments, or HA work, additionally check locally whether rules, services, HA status, logs, and affected connections are actually correct.

Configuration Backups in Sophos Central

The firewall can send configuration backups to Sophos Central. This is useful if an appliance needs to be replaced or restored and local backups are not available.

In Sophos Central, you can set up scheduled backups for registered firewalls. The intervals available are Daily, Weekly, and Monthly. This allows you to define, for example, that selected firewalls send a configuration backup to Sophos Central daily, weekly, or monthly.

Sophos Central - Schedule Backup for registered firewalls
Sophos Central - Firewall Management > Backup > Schedule Backup

Sophos Central doesn’t keep all automatic backups indefinitely. By default, the five most recent backups are retained and older ones are discarded. One backup can also be marked for permanent storage. In HA clusters, Primary and Auxiliary appear in the backup schedule, but according to Sophos only the backup from the Primary device is generated.

For operations, two details matter: Sophos Central retries a backup up to five times and generates an alert plus an email to the Central admin if it permanently fails. If a firewall is removed from Sophos Central Management, Sophos Central deletes the related backup files. Cloud backups are therefore useful, but they don’t replace a dedicated backup and restore strategy.

Nevertheless, you should not rely on a single backup method. For productive systems, regular local or external backups are still advisable. Backup password and Secure Storage Master Key are also important.

Central Firewall Reporting

With Central Firewall Reporting, the firewall sends log and report data to Sophos Central. This allows reports to be evaluated over longer periods and searched centrally.

In Sophos Central, dashboards, the Report Hub, the Report Generator, saved templates, and scheduled exports are available for this purpose. You can create reports for individual firewalls or multiple firewalls, filter time periods, search for specific events, and export results as PDF, CSV, or HTML. For regular evaluations, reports can also be scheduled and automatically provided.

Sophos Central - Firewall Reporting Bandwidth usage Report Generator
Sophos Central - Firewall Management > Report Generator > Bandwidth usage

Typical report templates include:

  • Antivirus
  • Bandwidth usage
  • Cloud app risks and usage
  • Firewall
  • IPS
  • Log viewer and search
  • SD-WAN
  • SD-WAN SLA trend
  • SD-WAN bandwidth usage
  • Security posture assessment
  • Synchronize app
  • Threat geo activity
  • Threats and events blocked
  • VPN usage
  • Web usage
  • Web user risks
  • X-Ops
  • Zero-day protection

The retention period depends on the license:

  • Active Firewall Subscription: Up to 7 days For basic reports and short reviews
  • Xstream Protection / Central Orchestration: Up to 30 days Depending on bundle and permission
  • Sophos Central Firewall Reporting Advanced: Up to 365 days 100 GB additional storage per license

The exact activation and log selection are described in detail in the article Activate Central Firewall Reporting.

Synchronized Security and Security Heartbeat

When Sophos Endpoint and Sophos Firewall are operated together via Sophos Central, Synchronized Security can be used. In this case, the firewall and endpoint exchange security information.

Examples:

  • The firewall sees the Security Heartbeat of endpoints.
  • Devices with a red heartbeat can be automatically restricted.
  • Network and endpoint views are better connected.
  • In incidents, it is quickly visible which user or device is affected.

This is one of the greatest added values when, in addition to the firewall, Sophos Endpoint, MDR, or XDR is also used.

What Sophos Central Does Not Replace

Sophos Central is helpful but does not replace proper firewall configuration.

Central does not replace:

  • Proper zone and interface planning
  • Restrictive firewall rules
  • Device Access Hardening
  • MFA for admins and portals
  • Local troubleshooting with Log Viewer and Packet Capture
  • Documented backups and recovery tests
  • An external Syslog system if compliance or long retention is required

Sophos Central is thus an additional management and reporting layer, but not a shortcut for a secure basic configuration.

Check Before Registration

Before connecting to Sophos Central, you should briefly clarify what you want to achieve with the registration. This prevents unclear responsibilities, duplicate tenants, or unnecessarily activated services later.

Important preliminary questions:

  • In which Sophos Central tenant should the firewall be registered?
  • Who has the required rights in the tenant for firewall management, reporting, backup, and licensing?
  • Is the firewall already registered in another Central account?
  • Does the firewall have an active paid subscription other than Base Firewall or an active support contract for Central Management?
  • Does the firewall have working IPv4 internet connectivity?
  • Should Central be used only for licence overview and inventory, or also for management, reporting, and backups?
  • Are firewall groups used, and have the roles for admin, helpdesk, and read-only access been tested in practice?
  • May firewall logs be sent to Sophos Central from a data protection or compliance perspective?
  • Is there a current local backup and a documented Secure Storage Master Key?
  • Is it clear who checks alerts, reports, and failed tasks after registration?

If the firewall is already in the wrong account, you should first check Transfer Sophos Firewall to another Sophos Central account. For classifying the different accounts and portals, Sophos Portals: SophosID, Central, Support, and Firewall Access is helpful.

When You Don’t Need to Connect the Firewall

A connection to Sophos Central is not strictly necessary if:

  • Only a single firewall is managed locally
  • No Central reports are needed
  • No Sophos Endpoint integration is planned
  • Cloud management is not desired for organizational reasons
  • Logs are already sent to your own SIEM or a Syslog server

In such cases, you can operate the firewall locally. It is then important to organize backups, firmware updates, monitoring, and logging properly elsewhere.

Sophos Central is particularly recommended if:

  • Multiple firewalls are managed
  • Admins work from different locations
  • Firewalls should not be directly accessible via WebAdmin from the internet
  • Configuration backups should be stored centrally
  • Firewall reporting is needed
  • Sophos Endpoint, MDR, XDR, or other Sophos Central products are in use
  • Security Heartbeat and Synchronized Security should be used

Activate Connection

The connection is set up on the firewall under System > Sophos Central.

There are two typical registration methods:

  • OTP from Sophos Central: Useful when a partner, project team, or firewall admin shouldn’t work with Super Admin credentials for the Central tenant on the firewall. In Sophos Central, the existing firewall is added under My Products > Firewall Management > Firewalls > Add Firewall using the serial number, and an OTP is generated.
  • Sophos Central credentials: Useful when registering directly on the firewall with a suitable Sophos Central admin account. Sophos refers to this as a Central Super Admin.

For HA pairs, work carefully. With OTP registration, both serial numbers are entered in Sophos Central; for new HA pairs, the OTP is used on the Primary device.

Typical procedure on the firewall:

  1. Log in to the firewall.
  2. Open System > Sophos Central.
  3. Select Register.
  4. Select Use OTP or Use email address.
  5. Enter the OTP or Sophos Central credentials.
  6. Complete the registration.
  7. Turn on Sophos Central services.
  8. Select the required services.

Depending on the need, these options can be activated:

  • Use Sophos Central reporting / Send reports and logs to Sophos Central: Sends log and report data to Sophos Central.
  • Use Sophos Central management / Manage from Sophos Central: Allows management access through Sophos Central.
  • Send configuration backup to Sophos Central: Stores configuration backups in Sophos Central. In practice, this option is tied to the Central Management setup and must be approved in Sophos Central.

Only the functions that are actually used should be activated. In environments with data protection or compliance requirements, clarify beforehand which log data may be sent to Sophos Central.

After activating the services, an authorised admin must accept the services in Sophos Central:

  1. Sign in to Sophos Central.
  2. Open My Products > Firewall Management > Firewalls.
  3. Find the firewall with Approval Pending.
  4. Select accept-services.
  5. On the firewall, check whether the status changes from Waiting for approval from Sophos Central to Managed or connected.

The status change can take a few minutes. If the display doesn’t change immediately, don’t register repeatedly. First check Central status, internet connectivity, DNS, and time.

Check After Connection

After registration, you should not only check whether the firewall is visible in Sophos Central. It is crucial whether the activated services really work and whether responsibilities are clear.

Useful post-check:

  1. Check in Sophos Central whether the model, serial number, and license status are displayed correctly.
  2. On the firewall under System > Sophos Central, check whether the desired services are active and connected.
  3. If Manage from Sophos Central is used, consciously test access via Sophos Central once.
  4. If reporting is active, check in the Log Viewer and in Sophos Central whether current events are arriving.
  5. If cloud backups are active, configure the scheduled backup and document the last successful backup time.
  6. Check alerts, roles, and responsibilities in Sophos Central.
  7. If changes are distributed via Central, check the Central Firewall Management Task Queue.

Especially with multiple firewalls, the registration should be documented internally: tenant, serial number, location, active Central service, reporting retention, backup interval, and responsible person.

Accept Central Services Separately

After registration, do not only check the global Central status. The individual services have different failure patterns and therefore need separate acceptance tests.

  • Registration and inventory: Firewall appears in the correct tenant, serial number, model, license, and location are correct.
  • Manage from Sophos Central: Access through Central works with the intended admin role, without WebAdmin unnecessarily remaining open from the WAN.
  • Central Reporting: A deliberately triggered event appears in the Report Hub with the correct firewall, time, rule ID, or log type.
  • Central Backups: A scheduled or manual backup completes successfully, and backup interval, password, and Secure Storage Master Key are documented.
  • Backup retention: The five most recent Central backups and any permanently stored backup are known. For HA, it is clear that the Primary generates the backup.
  • Backup alerting: Failed Central backups generate alerts and email notifications that are reviewed by a responsible person.
  • Central Tasks: After a Central change, the Task Queue is checked until the task has completed successfully or is escalated cleanly.
  • Alerts and responsibility: It is clear who regularly checks failed tasks, backup problems, reporting gaps, and license warnings.

This separation prevents a typical operational mistake: a firewall can be visible in Sophos Central while reporting, backups, or Central tasks are still not working correctly.

Common Mistakes

Firewall is Registered in the Wrong Central Account

This often happens with service provider changes, test accounts, or multiple historical SophosID accounts. In this case, do not simply attempt a second registration. First, clarify where the firewall currently resides, who has access to the tenant, and whether an account transfer is necessary.

Central Management is Confused with Local WebAdmin

Manage from Sophos Central is an additional access path. The local WebAdmin Console, local admin users, MFA, Device Access, and SSH remain independent security controls. It is especially important that WebAdmin does not remain accessible from the WAN just because Central Management has not yet been tested.

Central View is Not Validated Locally

For group policies, HA clusters, WAF rules, and firmware tasks, Central should not be treated as the only source of truth. Central can show that a change is planned, applied, or visible. What matters is whether the affected firewall has processed the change and whether the real traffic or service works afterwards.

In practice: after Central changes, check the Task Queue, local WebAdmin view, Log Viewer, and, if required, the Audit Trail. If the Central interface only keeps loading, an HA pair appears twice, or a group rule cannot be moved, that is not automatically a firewall rule problem.

Reporting is Activated, but No Usable Data Arrives

Then you should first check whether Send reports and logs to Sophos Central is active, whether the appropriate log types are enabled, and whether the firewall can reach Central. Then check the detailed points on log selection, retention, and reports in the article Activate Central Firewall Reporting.

Cloud Backup is Understood as the Only Backup

Central backups are convenient, but they do not replace a complete recovery plan. For critical locations, it should also be clear where local backups are located, who knows the backup password, whether the Secure Storage Master Key is documented, and how a restore or reimage would proceed.

No One Checks Central Tasks and Alerts

Central only helps if messages and failed tasks are also processed. Especially with group policies, firmware tasks, reporting, and backups, it should be clear who checks warnings and how errors are escalated internally.

Frequently Asked Questions

Does a Sophos Firewall need to be connected to Sophos Central?

No. A Sophos Firewall can be managed locally. Sophos Central becomes interesting if central management, reporting, cloud backups, license overview, or Sophos Endpoint integration are to be used.

Is Manage from Sophos Central more secure than WebAdmin over WAN?

In many environments, Central Management is the better option because the local WebAdmin Console does not need to be published directly from the internet. Nevertheless, MFA, roles, Device Access, local admins, and logging remain important.

Does Central Firewall Management replace local checks on the firewall?

No. Central helps with management, group policies, status, backups, and reporting. After critical changes, still check locally whether rules, services, HA status, logs, and affected connections really work.

Are firewall logs automatically stored long-term?

No. Retention depends on activated Central features, license, and reporting configuration. For longer or compliance-relevant retention, you should also consider Syslog or SIEM.

Does Sophos Central replace local firewall backups?

No. Central backups are an additional protection. For productive firewalls, local or external backups, backup password, Secure Storage Master Key, and restore process should still be documented.