Firewall groups in Sophos Central offer you the option to make the same changes to multiple Sophos XG (home) firewalls with just one action.
In my last post I explained how to sign up for Sophos Central and how to add all your (home) firewalls to start managing them from one central place.
This post continues on explaining the concept of firewall groups in Sophos Central and how to use those to easily manage all your XG (home) firewalls simultaneously.
If you still have to install your own XG firewall at home, than don’t forget to read my article Installing Sophos XG Firewall Home Edition.
Create a firewall group in Sophos Central
First you need to login to Sophos Central and go to the firewall management section. Next go to Manage -> Firewalls. Then click on the button ‘Create New Group’.
In the next screen give your group a name. In my example I created the name ‘All firewalls’. The reason for this general name is that you can nest groups inside groups, which I will explain later in this article.
If you like you can also immediately select one or more firewalls to be member of this group, however this is not necessary.
Under ‘Select initial configuration for your group’ you can select either Sophos default or you can import a configuration from an existing firewall. There are at this time however some configuration options that may prevent a successful import. Starting with Sophos default will do no harm. Click Save when everything is ready.
Configure firewall group policy
Now when the group is ready you can start to configure it to your needs. To do so click the circle with the three dots inside behind your newly created group and select ‘Manage Policy’.
You will then see a webpage that looks like the webadmin interface of an XG firewall. It’s not exactly the same and not all options will be present, but everything you configure here will be applied to all group members.
In the left part of the screen from the menu you’ll find all configurable options. The option you select will be visible in the right part of the screen.
If you’re looking for a basic configuration, then you might read back in my article Configure XG-firewall for Home use. The option Email is not available for configuring from within the group. The same is true for the option to disable logging of invalid traffic. Since not all firewalls you manage use the same internet connection you may also not want to configure the WAN bandwidth.
In addition you could go to Administration -> Device Access and deselect all checkmarks under SNMP. It’s not likely you will use SNMP in a home network.
Also deselect HTTPS from the WAN zone. You will definitely not want to open the firewall management port to the internet, especially now that you manage your firewall from Sophos Central.
Other services that may not be in use in a home network are AD SSO, Radius SSO and Chromebook SSO. If you don’t use it, then deselect those options too.
All changes that you apply will immediately apply to all firewalls inside your group. Sophos Central will also tell you this in the top of your screen.
In this message you can click on Task Queue to see the progress on every firewall in your group. But you can also visit the task queue from the left menu on your screen.
Nesting of firewall groups in Sophos Central
Because not all firewalls are equal, you may need to further divide your group into one or more subgroups.
At the highest level you configure settings that should apply to every firewall. In your subgroup(s) you can configure different settings that only apply to some firewalls. Say that some firewalls you manage for other family members should block online chat sites and others should not. In this scenario you can create a subgroup and enable a custom web policy that blocks Online Chat sites.
If you like this article you may also like my other articles about Sophos.
3 thoughts on “Firewall groups in Sophos Central”
hello i have a question about synology & sg-firewall from sophons.
i want to send notifications but both gmail and my personal smtp are not working. (cant resolve host)
where can i tell shophos to give free outgoing smtp request traffic? any ideas?
found your interesting posts in sophos forum and it looks you are very knowledge. if you can tell me more about yourself i also work for a IT agency and we could need help with sophos from time to time.
kind regards michael
(german speaking by the way)
Hi Michael, sorry for late reply.
I don’t think I have a ready answer for you on this one. I have my XG firewall send all mails by itself without any smarthost and in my situation this seems to work.
In the past I also tried with smarthost and was having a hard time configuring it. Maybe visit the Sophos community forum and ask your question there. I have found many times good support from there.