Skip to content
Avanet

Enable and Operate Sophos Firewall Central Reporting

With Central Firewall Reporting, the Sophos Firewall sends selected log data to Sophos Central. This allows reports to be centrally evaluated, stored, and shared with others if needed.

This article explains how to enable Central Reporting, what points should be checked beforehand, and how to verify if log data is arriving in Sophos Central.

Which Logging Article Fits?

Central Firewall Reporting is a component of the log architecture. Depending on the goal, a different entry point may be more suitable:

This distinction is important: Central Reporting is good for reports, search, and history in Sophos Central. For live troubleshooting on the firewall, support log packages, SIEM correlation, or flow analysis, other tools are needed.

When Central Firewall Reporting is Helpful

Central Firewall Reporting is particularly useful when multiple firewalls are operated or when reports need to be regularly evaluated.

Typical examples:

  • Central overview of multiple firewalls.
  • Regular reports for management or operations.
  • Analysis of web, application, IPS, VPN, or network events.
  • Longer retention and easier search in log data.
  • Support in troubleshooting and security reviews.

For pure live analysis directly on the firewall, local logs are often sufficient. For long-term evaluations, Central Reporting is significantly more convenient. If logs are to go to your own SIEM or an external log server, Send Sophos Firewall Syslog to SIEM is more suitable.

Prerequisites

Before activation, you should check:

  • The firewall is registered in Sophos Central.
  • The firewall has internet access to the required Sophos services.
  • DNS and time are functioning correctly.
  • The used license supports the desired reporting function.
  • The firewall is visible in Sophos Central.

If the firewall is not yet registered in Sophos Central, this must be done first. Without registration, Central Firewall Reporting cannot be activated.

Activate Central Reporting

Central Firewall Reporting is activated in two places: first on the firewall and then in Sophos Central.

  1. Log in to the WebAdmin of the Sophos Firewall.
  2. Open System > Sophos Central.
  3. Under Sophos Central registration, check if the firewall is registered.
  4. If the firewall is not yet registered, select Register and log in with the appropriate Sophos Central account.
  5. Activate Sophos Central services or select Configure if the service is already active.
  6. Activate Send reports and logs to Sophos Central.
  7. Optionally activate Manage from Sophos Central if the firewall should also be centrally managed.
  8. Optionally activate Send configuration backups to Sophos Central if configuration backups should be centrally stored.
  9. Select Apply.
Sophos Firewall - Enable Sophos Central services with Send reports and logs to Sophos Central
Sophos Firewall - System > Sophos Central > Sophos Central services

After saving, the service must be confirmed in Sophos Central:

  1. Log in to Sophos Central.
  2. Open My Products > Firewall Management > Firewalls.
  3. Find the firewall with the status or symbol Approval pending.
  4. Select Accept services.

After activation, the firewall automatically creates a syslog entry for Central reporting and starts sending log data to Sophos Central. Transfer and processing are not necessarily immediate. The firewall sends data to Sophos Central at least every five minutes. Central can then need additional time for processing; Sophos typically states five to thirty minutes for database processing. For the first check, do not immediately keep changing the configuration after saving.

What Data is Transferred

Which log types are sent to Sophos Central is defined directly on the firewall.

The menu path is Configure > System services > Log settings.

Under Log settings, there is a separate column Central reporting. There, you can decide per log type whether this log is sent locally, to Central, or to both destinations.

Typical areas include:

  • Firewall rules.
  • Web Protection.
  • Application Control.
  • IPS.
  • Active Threat Response.
  • Zero-Day Protection.
  • SD-WAN.
  • VPN.
  • Wireless, if access point and SSID events should be visible centrally.
  • System events.
Sophos Firewall - Log settings with Central reporting column
Sophos Firewall - System services > Log settings > Central reporting

Not every environment needs to send all data to Sophos Central. In productive environments, you should check which log types are really needed and whether internal data protection requirements are met.

⚠️ The more log types are sent to Sophos Central, the faster the available storage is consumed. For productive environments, you should consciously decide which logs are really needed for operations, security, and compliance.

The difference between logs and reports is also important: The selection under Central reporting controls which event logs are sent to Sophos Central. This selection does not automatically replace local on-box reports and is not the same as a complete support log package.

How Long Sophos Stores the Logs

The retention period depends on the license and available storage. Important: The limit that is reached first always applies. When the storage is full, older data is removed according to the FIFO principle.

  • Central Firewall Reporting without additional reporting license: Up to 7 days Available with active firewall subscription. Storage is model-dependent and limited.
  • Xstream Protection Bundle: Up to 30 days This corresponds to a limited Central Firewall Reporting Advanced entitlement.
  • Sophos Central Firewall Reporting Advanced: Up to 365 days. Each CFR Advanced licence increases the available storage by 100 GB. Firewalls with very high log volume may need more than one 100 GB unit to realistically reach the maximum retention.

The Sophos Central Firewall Reporting Advanced license can be obtained from Avanet: Sophos Central Firewall Reporting Advanced. The data sheet describes Central Firewall Reporting additionally as cloud-based reporting with search, reports, and up to 365 days retention: Sophos Central Firewall Reporting Data Sheet.

For all variants, storage and maximum retention work together. As soon as one limit is reached, older data is removed according to first-in-first-out. A licence with long maximum retention therefore does not automatically guarantee that every firewall actually keeps data for that long.

Plan Retention and Responsibility

Central Reporting should not only be activated technically. It should be clear in advance which log types are really needed, how long the data must be available, and who regularly checks reports.

For operations, these points should be documented:

  • Purpose of data collection: Troubleshooting, security review, audit, management report, or support.
  • Required log types, for example, firewall, web, IPS, VPN, or Active Threat Response.
  • Desired retention period and appropriate license.
  • Owner for report templates, planned reports, and escalations.
  • Data protection or compliance requirements for user, URL, and network data.
  • Decision on whether syslog or SIEM is additionally needed.

If logs are relevant for incident response or audits, you should not wait until a disruption to check if the data is complete. A short monthly control report is often enough to see if the expected log types are arriving and if the storage consumption matches the planned retention.

Check Log Arrival

After activation, the data does not always appear immediately in Sophos Central. A few minutes delay should be planned.

Then check these points:

  1. Log in to Sophos Central.
  2. Open My Products > Firewall Management > Report Hub.
  3. Select the affected firewall.
  4. Check visibility of current events.
  5. Create a simple report as a test.
Sophos Central - Firewall reporting Report Hub
Sophos Central - Firewall Management > Report Hub

If no data is visible, you should first check connection, license, and log settings.

Validate Reporting Specifically

A report with data does not yet prove that Central Reporting is fully usable for operations. After activation, at least a small validation plan should be worked through.

  • Are firewall rule logs arriving?: Trigger a logged test rule and search for source, destination, and Rule ID in the Report Hub. The event is visible with the correct firewall, time, and action.
  • Are web or application events being transferred?: Perform a known web or application control test. Category, user, or client IP appear in the appropriate report.
  • Are VPN events visible?: Establish and disconnect a test connection. Login, connection, and disconnection are visible in the chosen timeframe.
  • Does the time basis fit?: Compare firewall time, Sophos Central timeframe, and local timezone. Events do not appear in an unexpected timeframe.
  • Is the retention sufficient?: Check older data in the Report Hub and observe storage consumption. Retention matches the license and internal purpose.
  • Check log settings: Under System services > Log settings, verify that firewall rules generate Log firewall traffic and that SSL/TLS inspection rules have Log connections enabled when needed.

For multiple firewalls, you should also check if hostname, serial number, model, or location are clearly identifiable. Otherwise, a later security or support case becomes unnecessarily tedious because events are present but cannot be quickly assigned to the correct appliance.

Use Reports

Sophos Central can display, filter, and, depending on the license, also schedule reports.

Useful reports for operations:

  • Top blocked applications.
  • Web categories with high traffic.
  • VPN connections.
  • IPS events.
  • NDR and Active Threat Response events.
  • Top rules by hit count.
  • User or host-related evaluations.

If web categories are not only to be evaluated but also actively reported on critical accesses, Use Sophos Firewall Web Categories and Instant Alerts is suitable.

For recurring operational checks, you can schedule reports or save them as templates. If NDR Essentials or NDR Active Threat Intelligence is used, the process from Operate Sophos Firewall NDR and Active Threat Response should be linked with Central Reporting or SIEM evaluation.

Troubleshooting

No Data in Sophos Central

Check if the firewall is online and can communicate with Sophos Central. Additionally, DNS, default gateway, and time should be checked. Then, on the firewall under System > Sophos Central, check if Send reports and logs to Sophos Central is still active and if a service confirmation is pending in Sophos Central.

If the firewall is managed via Sophos Central but does not deliver reports, management access and reporting should still be checked separately. A functioning Central login to the firewall does not automatically prove that all selected log types also arrive in the Report Hub.

Only Individual Log Types Missing

Check the local log settings of the firewall. If an area is not logged locally, it cannot be meaningfully transferred to Central Reporting.

Particularly often, it is not the Central connection that is missing, but the actual event:

  • Firewall rules do not have Log firewall traffic activated.
  • Under System services > Log settings, the column Central reporting is not active for the log type.
  • The chosen report considers a different timeframe or a different firewall.
  • User or web reports remain empty because the firewall does not see user identity.
  • NDR or Active Threat Response events are missing because the function is globally active but not fully integrated into rules or logging.

Reports Show Old Data

Central Reporting does not work in real time. Check the selected timeframe in the report and wait a few minutes before changing the configuration again. A delay is normal for new events because the firewall sends data periodically and Sophos Central processes it afterwards.

If data consistently appears delayed or incomplete, you should not repeatedly reset the same settings. A defined test with time, source, destination, log type, and expected firewall is better. Then Log Viewer, Central Report Hub, and, if necessary, syslog or local logs can be cleanly compared.

Too Much or Too Little Data

Adjust the log selection and filters in Sophos Central. For audits or support cases, it may be useful to collect more data. For normal operations, targeted reports are often sufficient.

Too much data is not only a storage problem. Evaluation also becomes more difficult if no one regularly checks the reports. Too little data is critical if exactly firewall, VPN, web, or IPS events are missing in an incident. Therefore, the log selection should not be set once on the side but should match the planned use cases.

Check Central Reporting After Changes

After certain changes, Central Reporting should be consciously checked:

  • Firmware update or rollback.
  • HA failover or appliance replacement.
  • Change to Sophos Central registration or services.
  • New firewall rules, web policies, IPS policies, or VPN profiles.
  • Change of license, bundle, or reporting advanced entitlement.
  • Reimage, restore, or migration to a new model.

For central changes via Sophos Central, the Sophos Central Firewall Management Task Queue is also suitable. There you can see if Central has successfully applied a change to the firewall. For local configuration changes, you should include Audit Trail Logs and for rule problems, the Log Viewer with Policy Test and Packet Capture.

Secure Logs for Support Cases

Central Reporting does not replace every local log analysis. If Sophos Support or Avanet requires a complete local log collection, you can additionally export the firewall logs.

For support cases, you should therefore clearly separate:

  • Show history, reports, affected users, or top events: Central Reporting
  • Check individual connection live: Log Viewer, Policy Test, and Packet Capture
  • Check service errors, debug logs, or module status: Local log files and service logs
  • Provide a complete package for Sophos Support or Avanet: Local log export or Consolidated troubleshooting report

In practice, Central Reporting is often the best starting point because you can narrow down time windows, firewall, user, source IP, and affected rule faster. For the actual root cause analysis, however, local logs are often additionally needed, especially for VPN, WAF, IPS, HA, system, or service problems. The process is described in Secure Sophos Firewall Logs for Support and Analysis. For module and service assignment, Sophos Firewall Troubleshooting: Services and Logs is also helpful.

Operational Recommendation

Central Firewall Reporting is particularly useful for multiple firewalls or regularly needed reports. For troubleshooting, it is helpful to use local logs and Central Reporting together: Central for overview and history, local logs for detailed analysis directly on the firewall.

In productive environments, Central Reporting should be treated like an operational process:

  • Select log types according to purpose, do not just activate everything.
  • Assign a report owner who really checks planned reports and noticeable trends.
  • Regularly check storage consumption and the oldest available data.
  • Conduct a short reporting test after firmware updates, HA failover, restore, or license change.
  • Define at least one incident test: find affected source IP, Rule ID, VPN user, or web category in the Report Hub.
  • Decide for security operations which events remain in Central and which additionally go to a SIEM.

For small environments, a monthly control look at firewall, web, VPN, and IPS reports is often sufficient. For multiple locations, MSP operations, or compliance requirements, a fixed review appointment should exist. Then it is checked whether expected log types are still arriving, whether storage and license match the desired retention, and whether reports can quickly answer the right questions in an emergency.

If logs are relevant for security operations, incident response, or compliance, it should also be decided whether Syslog to a SIEM is needed. Central Reporting is very useful for Sophos Central evaluations but does not automatically replace a cross-vendor log archive or a SOC process.

FAQ

Does Central Firewall Reporting replace the Log Viewer?

No. Central Reporting is intended for central reports, search, and history in Sophos Central. The Log Viewer remains important for live troubleshooting, Rule ID, policy decisions, and quick packet flow analysis.

Why are no Central Reporting data visible?

Often it is not the Central registration that is missing, but the reporting activation, the service confirmation in Sophos Central, the appropriate log selection under System services > Log settings, or logging in the affected firewall rule.

How long does Sophos Central store firewall logs?

Retention depends on the license and available storage. Depending on the entitlement, short retrospectives, up to 30 days, or with Central Firewall Reporting Advanced up to 365 days are possible. If the storage is full beforehand, older data is removed.

Do you still need syslog despite Central Reporting?

Not necessarily for simple Sophos Central reports. If logs are needed long-term in your own SIEM, SOC, audit archive, or cross-vendor detection process, syslog is still useful.

Which log types should be sent to Central Reporting?

It depends on the purpose. For operations and security, firewall, web, application control, IPS, VPN, system events, and Active Threat Response are often relevant. It is crucial that the selected log types are later also checked and used.