Connect Sophos Firewall to Sophos Central
A Sophos Firewall does not have to be connected to Sophos Central. A single firewall can be managed entirely locally through WebAdmin. However, connecting it to Sophos Central is worthwhile in many environments because it adds management, backup, reporting and security functions.
This article helps decide when Sophos Central makes sense and when local management is enough.
Short answer
If only a single Sophos Firewall is managed locally and no Central functions are required, Sophos Central is not mandatory.
If several firewalls are managed, log data needs to be analysed centrally, configuration backups should be stored in the cloud or other Sophos products such as Sophos Endpoint are used, Sophos Central provides clear benefits.
Benefits of connecting to Sophos Central
Central overview
In Sophos Central, registered firewalls can be viewed centrally in one place. This is especially useful when several sites or appliances belonging to the same organisation are managed.
Typical benefits:
- status overview of firewalls
- serial numbers and licence information
- firmware and security status
- central reports
- quick switching between several firewalls
Management through Sophos Central
With Manage from Sophos Central, firewall management can be accessed through Sophos Central. This is often safer than publishing the WebAdmin Console directly on the internet.
However, management access does not replace a clean admin strategy. Admin accounts, MFA, roles, Device Access and ACL rules still need to be configured deliberately.
Configuration backups in Sophos Central
The firewall can send configuration backups to Sophos Central. This is useful when an appliance needs to be replaced or restored and local backups are unavailable.
Scheduled backups for registered firewalls can be configured in Sophos Central. The available intervals are Daily, Weekly and Monthly. This can be used, for example, to define whether selected firewalls send a configuration backup to Sophos Central daily, weekly or monthly.
Even so, a single backup method should not be the only protection. For production systems, regular local or external backups are still useful. The backup password and Secure Storage Master Key are also important.
Central Firewall Reporting
With Central Firewall Reporting, the firewall sends log and report data to Sophos Central. Reports can then be analysed over longer periods and searched centrally.
Sophos Central provides dashboards, Report Hub, Report Generator, saved templates and scheduled exports for this purpose. Reports can be created for individual firewalls or multiple firewalls, time ranges can be filtered, specific events can be searched and results can be exported as PDF, CSV or HTML. Reports can also be scheduled and delivered automatically for regular reviews.
Typical report templates are:
- Antivirus
- Bandwidth usage
- Cloud app risks and usage
- Firewall
- IPS
- Log viewer and search
- SD-WAN
- SD-WAN SLA trend
- SD-WAN bandwidth usage
- Security posture assessment
- Synchronize app
- Threat geo activity
- Threats and events blocked
- VPN usage
- Web usage
- Web user risks
- X-Ops
- Zero-day protection
Retention depends on the licence:
| Licence / entitlement | Typical retention | Note |
|---|---|---|
| Active Firewall Subscription | Up to 7 days | For basic reports and short lookbacks |
| Xstream Protection / Central Orchestration | Up to 30 days | Depending on bundle and entitlement |
| Sophos Central Firewall Reporting Advanced | Up to 365 days | 100 GB additional storage per licence |
The exact activation steps and log selection are described in the detailed article Enable Central Firewall Reporting.
Synchronized Security and Security Heartbeat
When Sophos Endpoint and Sophos Firewall are managed together through Sophos Central, Synchronized Security can be used. Firewall and Endpoint exchange security information.
Examples:
- The firewall sees the Security Heartbeat of endpoints.
- Devices with a red heartbeat can be restricted automatically.
- Network and endpoint visibility are connected more closely.
- During incidents, it becomes clearer which user or device is affected.
This is one of the biggest advantages when Sophos Endpoint, MDR or XDR is used in addition to the firewall.
What Sophos Central does not replace
Sophos Central is useful, but it does not replace clean firewall configuration.
Central does not replace:
- clean zone and interface planning
- restrictive firewall rules
- Device Access hardening
- MFA for admins and portals
- local troubleshooting with Log Viewer and Packet Capture
- documented backups and restore tests
- an external syslog system when compliance or long retention is required
Sophos Central is therefore an additional management and reporting layer, not a shortcut to a secure base configuration.
When the firewall does not need to be connected
A connection to Sophos Central is not mandatory if:
- only a single firewall is managed locally
- no Central reports are required
- no Sophos Endpoint integration is planned
- cloud management is not wanted for organisational reasons
- logs are already sent to a dedicated SIEM or syslog server
In these cases, the firewall can be operated locally. Backups, firmware updates, monitoring and logging must then be organised properly elsewhere.
When Sophos Central is recommended
Sophos Central is especially recommended when:
- several firewalls are managed
- admins work from different locations
- firewalls should not be reachable directly from the internet through WebAdmin
- configuration backups should be stored centrally
- Firewall Reporting is required
- Sophos Endpoint, MDR, XDR or other Sophos Central products are in use
- Security Heartbeat and Synchronized Security should be used
Enable the connection
The connection is configured on the firewall under System > Sophos Central.
Typical process:
- Sign in to the firewall.
- Open System > Sophos Central.
- Register the firewall with the correct Sophos Central account.
- Accept the pending services in Sophos Central.
- Enable the required Sophos Central services on the firewall.
Depending on the requirement, these options can be enabled:
| Option | Meaning |
|---|---|
Send reports and logs to Sophos Central | sends log and report data to Sophos Central |
Manage from Sophos Central | allows management access through Sophos Central |
Send configuration backups to Sophos Central | stores configuration backups in Sophos Central |
Only functions that are actually used should be enabled. In environments with data protection or compliance requirements, it should be clarified beforehand which log data may be sent to Sophos Central.