Firewall groups in Sophos Central

Firewall groups in Sophos Central offer you the option to make the same changes to multiple Sophos XG (home) firewalls with just one action.

In my last post I explained how to sign up for Sophos Central and how to add all your (home) firewalls to start managing them from one central place.
This post continues on explaining the concept of firewall groups in Sophos Central and how to use those to easily manage all your XG (home) firewalls simultaneously.

If you still have to install your own XG firewall at home, than don’t forget to read my article Installing Sophos XG Firewall Home Edition.

Create a firewall group in Sophos Central

First you need to login to Sophos Central and go to the firewall management section. Next go to Manage -> Firewalls. Then click on the button ‘Create New Group’.

In the next screen give your group a name. In my example I created the name ‘All firewalls’. The reason for this general name is that you can nest groups inside groups, which I will explain later in this article.

If you like you can also immediately select one or more firewalls to be member of this group, however this is not necessary.

Under ‘Select initial configuration for your group’ you can select either Sophos default or you can import a configuration from an existing firewall. There are at this time however some configuration options that may prevent a successful import. Starting with Sophos default will do no harm. Click Save when everything is ready.

Configure firewall group policy

Now when the group is ready you can start to configure it to your needs. To do so click the circle with the three dots inside behind your newly created group and select ‘Manage Policy’.

You will then see a webpage that looks like the webadmin interface of an XG firewall. It’s not exactly the same and not all options will be present, but everything you configure here will be applied to all group members.

In the left part of the screen from the menu you’ll find all configurable options. The option you select will be visible in the right part of the screen.

Basic configuration

If you’re looking for a basic configuration, then you might read back in my article Configure XG-firewall for Home use. The option Email is not available for configuring from within the group. The same is true for the option to disable logging of invalid traffic. Since not all firewalls you manage use the same internet connection you may also not want to configure the WAN bandwidth.

In addition you could go to Administration -> Device Access and deselect all checkmarks under SNMP. It’s not likely you will use SNMP in a home network.
Also deselect HTTPS from the WAN zone. You will definitely not want to open the firewall management port to the internet, especially now that you manage your firewall from Sophos Central.

Other services that may not be in use in a home network are AD SSO, Radius SSO and Chromebook SSO. If you don’t use it, then deselect those options too.

All changes that you apply will immediately apply to all firewalls inside your group. Sophos Central will also tell you this in the top of your screen.

In this message you can click on Task Queue to see the progress on every firewall in your group. But you can also visit the task queue from the left menu on your screen.

Nesting of firewall groups in Sophos Central

Because not all firewalls are equal, you may need to further divide your group into one or more subgroups.

At the highest level you configure settings that should apply to every firewall. In your subgroup(s) you can configure different settings that only apply to some firewalls. Say that some firewalls you manage for other family members should block online chat sites and others should not. In this scenario you can create a subgroup and enable a custom web policy that blocks Online Chat sites.

If you like this article you may also like my other articles about Sophos.