Enable and Operate Sophos Firewall Central Reporting
With Central Firewall Reporting, the Sophos Firewall sends selected log data to Sophos Central. This allows reports to be centrally evaluated, stored, and shared with others if needed.
This article explains how to enable Central Reporting, what points should be checked beforehand, and how to verify if log data is arriving in Sophos Central.
Which Logging Article Fits?
Central Firewall Reporting is a component of the log architecture. Depending on the goal, a different entry point may be more suitable:
- Evaluate reports and firewall logs in Sophos Central: This article
- Check individual connection, Rule ID, NAT ID, or packet flow live: Test Sophos Firewall Rule with Log Viewer, Policy Tester, and Packet Capture
- Send logs to your own SIEM or log server: Send Sophos Firewall Syslog to SIEM
- Classify local log files, services, and Advanced Shell: Sophos Firewall Troubleshooting: Services and Logs
- Secure logs for Sophos Support or Avanet: Secure Sophos Firewall Logs for Support or Analysis
- Track configuration changes: Check Sophos Firewall Audit Trail Logs
- Evaluate NDR or Active Threat Response hits: Operate Sophos Firewall NDR and Active Threat Response
- Analyse traffic flows instead of log events: Configure sFlow Monitoring on Sophos Firewall
This distinction is important: Central Reporting is good for reports, search, and history in Sophos Central. For live troubleshooting on the firewall, support log packages, SIEM correlation, or flow analysis, other tools are needed.
When Central Firewall Reporting is Helpful
Central Firewall Reporting is particularly useful when multiple firewalls are operated or when reports need to be regularly evaluated.
Typical examples:
- Central overview of multiple firewalls.
- Regular reports for management or operations.
- Analysis of web, application, IPS, VPN, or network events.
- Longer retention and easier search in log data.
- Support in troubleshooting and security reviews.
For pure live analysis directly on the firewall, local logs are often sufficient. For long-term evaluations, Central Reporting is significantly more convenient. If logs are to go to your own SIEM or an external log server, Send Sophos Firewall Syslog to SIEM is more suitable.
Prerequisites
Before activation, you should check:
- The firewall is registered in Sophos Central.
- The firewall has internet access to the required Sophos services.
- DNS and time are functioning correctly.
- The used license supports the desired reporting function.
- The firewall is visible in Sophos Central.
If the firewall is not yet registered in Sophos Central, this must be done first. Without registration, Central Firewall Reporting cannot be activated.
Activate Central Reporting
Central Firewall Reporting is activated in two places: first on the firewall and then in Sophos Central.
- Log in to the WebAdmin of the Sophos Firewall.
- Open System > Sophos Central.
- Under Sophos Central registration, check if the firewall is registered.
- If the firewall is not yet registered, select Register and log in with the appropriate Sophos Central account.
- Activate Sophos Central services or select Configure if the service is already active.
- Activate Send reports and logs to Sophos Central.
- Optionally activate Manage from Sophos Central if the firewall should also be centrally managed.
- Optionally activate Send configuration backups to Sophos Central if configuration backups should be centrally stored.
- Select Apply.

After saving, the service must be confirmed in Sophos Central:
- Log in to Sophos Central.
- Open My Products > Firewall Management > Firewalls.
- Find the firewall with the status or symbol Approval pending.
- Select Accept services.
After activation, the firewall automatically creates a syslog entry for Central reporting and starts sending log data to Sophos Central. Transfer and processing are not necessarily immediate. The firewall sends data to Sophos Central at least every five minutes. Central can then need additional time for processing; Sophos typically states five to thirty minutes for database processing. For the first check, do not immediately keep changing the configuration after saving.
What Data is Transferred
Which log types are sent to Sophos Central is defined directly on the firewall.
The menu path is Configure > System services > Log settings.
Under Log settings, there is a separate column Central reporting. There, you can decide per log type whether this log is sent locally, to Central, or to both destinations.
Typical areas include:
- Firewall rules.
- Web Protection.
- Application Control.
- IPS.
- Active Threat Response.
- Zero-Day Protection.
- SD-WAN.
- VPN.
- Wireless, if access point and SSID events should be visible centrally.
- System events.

Not every environment needs to send all data to Sophos Central. In productive environments, you should check which log types are really needed and whether internal data protection requirements are met.
⚠️ The more log types are sent to Sophos Central, the faster the available storage is consumed. For productive environments, you should consciously decide which logs are really needed for operations, security, and compliance.
The difference between logs and reports is also important: The selection under Central reporting controls which event logs are sent to Sophos Central. This selection does not automatically replace local on-box reports and is not the same as a complete support log package.
How Long Sophos Stores the Logs
The retention period depends on the license and available storage. Important: The limit that is reached first always applies. When the storage is full, older data is removed according to the FIFO principle.
- Central Firewall Reporting without additional reporting license: Up to 7 days Available with active firewall subscription. Storage is model-dependent and limited.
- Xstream Protection Bundle: Up to 30 days This corresponds to a limited Central Firewall Reporting Advanced entitlement.
- Sophos Central Firewall Reporting Advanced: Up to 365 days. Each CFR Advanced licence increases the available storage by 100 GB. Firewalls with very high log volume may need more than one 100 GB unit to realistically reach the maximum retention.
The Sophos Central Firewall Reporting Advanced license can be obtained from Avanet: Sophos Central Firewall Reporting Advanced. The data sheet describes Central Firewall Reporting additionally as cloud-based reporting with search, reports, and up to 365 days retention: Sophos Central Firewall Reporting Data Sheet.
For all variants, storage and maximum retention work together. As soon as one limit is reached, older data is removed according to first-in-first-out. A licence with long maximum retention therefore does not automatically guarantee that every firewall actually keeps data for that long.
Plan Retention and Responsibility
Central Reporting should not only be activated technically. It should be clear in advance which log types are really needed, how long the data must be available, and who regularly checks reports.
For operations, these points should be documented:
- Purpose of data collection: Troubleshooting, security review, audit, management report, or support.
- Required log types, for example, firewall, web, IPS, VPN, or Active Threat Response.
- Desired retention period and appropriate license.
- Owner for report templates, planned reports, and escalations.
- Data protection or compliance requirements for user, URL, and network data.
- Decision on whether syslog or SIEM is additionally needed.
If logs are relevant for incident response or audits, you should not wait until a disruption to check if the data is complete. A short monthly control report is often enough to see if the expected log types are arriving and if the storage consumption matches the planned retention.
Check Log Arrival
After activation, the data does not always appear immediately in Sophos Central. A few minutes delay should be planned.
Then check these points:
- Log in to Sophos Central.
- Open My Products > Firewall Management > Report Hub.
- Select the affected firewall.
- Check visibility of current events.
- Create a simple report as a test.

If no data is visible, you should first check connection, license, and log settings.
Validate Reporting Specifically
A report with data does not yet prove that Central Reporting is fully usable for operations. After activation, at least a small validation plan should be worked through.
- Are firewall rule logs arriving?: Trigger a logged test rule and search for source, destination, and Rule ID in the Report Hub. The event is visible with the correct firewall, time, and action.
- Are web or application events being transferred?: Perform a known web or application control test. Category, user, or client IP appear in the appropriate report.
- Are VPN events visible?: Establish and disconnect a test connection. Login, connection, and disconnection are visible in the chosen timeframe.
- Does the time basis fit?: Compare firewall time, Sophos Central timeframe, and local timezone. Events do not appear in an unexpected timeframe.
- Is the retention sufficient?: Check older data in the Report Hub and observe storage consumption. Retention matches the license and internal purpose.
- Check log settings: Under System services > Log settings, verify that firewall rules generate Log firewall traffic and that SSL/TLS inspection rules have Log connections enabled when needed.
For multiple firewalls, you should also check if hostname, serial number, model, or location are clearly identifiable. Otherwise, a later security or support case becomes unnecessarily tedious because events are present but cannot be quickly assigned to the correct appliance.
Use Reports
Sophos Central can display, filter, and, depending on the license, also schedule reports.
Useful reports for operations:
- Top blocked applications.
- Web categories with high traffic.
- VPN connections.
- IPS events.
- NDR and Active Threat Response events.
- Top rules by hit count.
- User or host-related evaluations.
If web categories are not only to be evaluated but also actively reported on critical accesses, Use Sophos Firewall Web Categories and Instant Alerts is suitable.
For recurring operational checks, you can schedule reports or save them as templates. If NDR Essentials or NDR Active Threat Intelligence is used, the process from Operate Sophos Firewall NDR and Active Threat Response should be linked with Central Reporting or SIEM evaluation.
Troubleshooting
No Data in Sophos Central
Check if the firewall is online and can communicate with Sophos Central. Additionally, DNS, default gateway, and time should be checked. Then, on the firewall under System > Sophos Central, check if Send reports and logs to Sophos Central is still active and if a service confirmation is pending in Sophos Central.
If the firewall is managed via Sophos Central but does not deliver reports, management access and reporting should still be checked separately. A functioning Central login to the firewall does not automatically prove that all selected log types also arrive in the Report Hub.
Only Individual Log Types Missing
Check the local log settings of the firewall. If an area is not logged locally, it cannot be meaningfully transferred to Central Reporting.
Particularly often, it is not the Central connection that is missing, but the actual event:
- Firewall rules do not have Log firewall traffic activated.
- Under System services > Log settings, the column Central reporting is not active for the log type.
- The chosen report considers a different timeframe or a different firewall.
- User or web reports remain empty because the firewall does not see user identity.
- NDR or Active Threat Response events are missing because the function is globally active but not fully integrated into rules or logging.
Reports Show Old Data
Central Reporting does not work in real time. Check the selected timeframe in the report and wait a few minutes before changing the configuration again. A delay is normal for new events because the firewall sends data periodically and Sophos Central processes it afterwards.
If data consistently appears delayed or incomplete, you should not repeatedly reset the same settings. A defined test with time, source, destination, log type, and expected firewall is better. Then Log Viewer, Central Report Hub, and, if necessary, syslog or local logs can be cleanly compared.
Too Much or Too Little Data
Adjust the log selection and filters in Sophos Central. For audits or support cases, it may be useful to collect more data. For normal operations, targeted reports are often sufficient.
Too much data is not only a storage problem. Evaluation also becomes more difficult if no one regularly checks the reports. Too little data is critical if exactly firewall, VPN, web, or IPS events are missing in an incident. Therefore, the log selection should not be set once on the side but should match the planned use cases.
Check Central Reporting After Changes
After certain changes, Central Reporting should be consciously checked:
- Firmware update or rollback.
- HA failover or appliance replacement.
- Change to Sophos Central registration or services.
- New firewall rules, web policies, IPS policies, or VPN profiles.
- Change of license, bundle, or reporting advanced entitlement.
- Reimage, restore, or migration to a new model.
For central changes via Sophos Central, the Sophos Central Firewall Management Task Queue is also suitable. There you can see if Central has successfully applied a change to the firewall. For local configuration changes, you should include Audit Trail Logs and for rule problems, the Log Viewer with Policy Test and Packet Capture.
Secure Logs for Support Cases
Central Reporting does not replace every local log analysis. If Sophos Support or Avanet requires a complete local log collection, you can additionally export the firewall logs.
For support cases, you should therefore clearly separate:
- Show history, reports, affected users, or top events: Central Reporting
- Check individual connection live: Log Viewer, Policy Test, and Packet Capture
- Check service errors, debug logs, or module status: Local log files and service logs
- Provide a complete package for Sophos Support or Avanet: Local log export or Consolidated troubleshooting report
In practice, Central Reporting is often the best starting point because you can narrow down time windows, firewall, user, source IP, and affected rule faster. For the actual root cause analysis, however, local logs are often additionally needed, especially for VPN, WAF, IPS, HA, system, or service problems. The process is described in Secure Sophos Firewall Logs for Support and Analysis. For module and service assignment, Sophos Firewall Troubleshooting: Services and Logs is also helpful.
Operational Recommendation
Central Firewall Reporting is particularly useful for multiple firewalls or regularly needed reports. For troubleshooting, it is helpful to use local logs and Central Reporting together: Central for overview and history, local logs for detailed analysis directly on the firewall.
In productive environments, Central Reporting should be treated like an operational process:
- Select log types according to purpose, do not just activate everything.
- Assign a report owner who really checks planned reports and noticeable trends.
- Regularly check storage consumption and the oldest available data.
- Conduct a short reporting test after firmware updates, HA failover, restore, or license change.
- Define at least one incident test: find affected source IP, Rule ID, VPN user, or web category in the Report Hub.
- Decide for security operations which events remain in Central and which additionally go to a SIEM.
For small environments, a monthly control look at firewall, web, VPN, and IPS reports is often sufficient. For multiple locations, MSP operations, or compliance requirements, a fixed review appointment should exist. Then it is checked whether expected log types are still arriving, whether storage and license match the desired retention, and whether reports can quickly answer the right questions in an emergency.
If logs are relevant for security operations, incident response, or compliance, it should also be decided whether Syslog to a SIEM is needed. Central Reporting is very useful for Sophos Central evaluations but does not automatically replace a cross-vendor log archive or a SOC process.