Enable Central Firewall Reporting on Sophos Firewall
With Central Firewall Reporting, Sophos Firewall sends selected log data to Sophos Central. This allows reports to be analysed centrally, retained and shared with other people when needed.
This guide shows how to enable Central Reporting, what to check beforehand and how to verify that log data is arriving in Sophos Central.
When Central Firewall Reporting is useful
Central Firewall Reporting is especially useful when several firewalls are operated or when reports need to be reviewed regularly.
Typical examples:
- Central overview across several firewalls.
- Regular reports for management or operations.
- Analysis of web, application, IPS, VPN or network events.
- Longer retention and easier searching in log data.
- Support for troubleshooting and security reviews.
For pure live analysis directly on the firewall, the local logs are often sufficient. For longer-term reporting, Central Reporting is significantly more convenient.
Requirements
Before enabling it, check the following:
- The firewall is registered in Sophos Central.
- The firewall has internet access to the required Sophos services.
- DNS and time are working correctly.
- The licence in use supports the required reporting function.
- The firewall is visible in Sophos Central.
If the firewall is not yet registered in Sophos Central, this must be done first. Central Firewall Reporting cannot be enabled without registration.
Enable Central Reporting
Central Firewall Reporting is enabled in two places: first on the firewall and then in Sophos Central.
- Sign in to the Sophos Firewall WebAdmin.
- Open System > Sophos Central.
- Under Sophos Central registration, check whether the firewall is registered.
- If the firewall is not registered yet, click Register and sign in with the correct Sophos Central account.
- Enable Sophos Central services or click Configure if the service is already active.
- Enable Send reports and logs to Sophos Central.
- Optional: Enable Manage from Sophos Central if the firewall should also be managed centrally.
- Optional: Enable Send configuration backups to Sophos Central if configuration backups should be stored centrally.
- Click Apply.
After saving, the service must be accepted in Sophos Central:
- Sign in to Sophos Central.
- Open My Products > Firewall Management > Firewalls.
- Find the firewall with the status or symbol Approval pending.
- Click Accept services.
Sophos also describes this process in the official guide Turn on firewall reporting.
After activation, the firewall automatically creates a syslog entry for Central reporting and starts sending log data to Sophos Central. According to Sophos, the firewall sends the data at least every five minutes. The data is then processed in Sophos Central, which can take a few more minutes.
Which data is transferred
You define which log types are sent to Sophos Central directly on the firewall.
The menu path is Configure > System services > Log settings.
Under Log settings, there is a dedicated Central reporting column. For each log type, you can decide whether the log is sent locally, to Central or to both destinations.
Typical areas are:
- Firewall rules.
- Web Protection.
- Application Control.
- IPS.
- ATP.
- VPN.
- System events.
Not every environment needs to send all data to Sophos Central. In production environments, you should check which log types are really required and whether internal data protection requirements are met.
⚠️ The more log types you send to Sophos Central, the faster the available storage is consumed. For production environments, decide deliberately which logs are really needed for operations, security and compliance.
How long Sophos retains the logs
The retention period depends on the licence and available storage. Important: the limit that is reached first applies. If the storage is full, older data is removed according to the FIFO principle.
| Licence / variant | Retention | Note |
|---|---|---|
| Central Firewall Reporting without an additional reporting licence | Up to 7 days | Available with an active firewall subscription. Storage depends on the model and is limited. |
| Xstream Protection Bundle | Up to 30 days | Sophos describes this as a limited Central Firewall Reporting Advanced entitlement. |
| Sophos Central Firewall Reporting Advanced | Up to 365 days | Each licence provides 100 GB of additional storage. Multiple licences can be stacked as required. |
Sophos documents the details under Firewall reporting storage by firewall model and in the Firewall reporting FAQs.
The Sophos Central Firewall Reporting Advanced licence is available from Avanet: Sophos Central Firewall Reporting Advanced. The data sheet also describes Central Firewall Reporting as cloud-based reporting with search, reports and up to 365 days of retention: Sophos Central Firewall Reporting data sheet.
Check whether logs are arriving
After activation, the data may not appear in Sophos Central immediately. Allow a delay of a few minutes.
Then check:
- Sign in to Sophos Central.
- Open My Products > Firewall Management > Report Hub.
- Select the affected firewall.
- Check whether current events are visible.
- Create a simple test report.
If no data is visible, check connectivity, licensing and log settings first.
Use reports
Sophos Central can display and filter reports and, depending on the licence, also schedule them.
Useful reports for operations:
- Top blocked applications.
- Web categories with high traffic.
- VPN connections.
- IPS events.
- Top rules by hit count.
- User-based or host-based evaluations.
For recurring operational checks, reports can be scheduled or saved as templates.
Troubleshooting
No data in Sophos Central
Check whether the firewall is online and can communicate with Sophos Central. DNS, default gateway and time should also be checked.
Only individual log types are missing
Check the local log settings on the firewall. If an area is not logged locally, it cannot be transferred meaningfully to Central Reporting.
Reports show old data
Central Reporting is not always real time. Check the selected time range in the report and wait a few minutes before changing the configuration again.
Too much or too little data
Adjust the log selection and the filters in Sophos Central. For audits or support cases, it can make sense to collect more data. For normal operations, targeted reports are often enough.
Export logs for support cases
Central Reporting does not replace every local log analysis. If Sophos Support or Avanet needs a complete local log collection, you can additionally export the firewall logs.
See also: Save Sophos Firewall logs for support or analysis
Recommendation
Enable Central Firewall Reporting especially when operating several firewalls or when reports are required regularly. For troubleshooting, it is helpful to use local logs and Central Reporting together: Central for overview and history, local logs for detailed analysis directly on the firewall.