With this latest Sophos Central Management release we’re excited to announce that we’ve added a set of features to allow admins to manage firewalls in groups, rather than one at a time. This allows admins to create groups of like firewalls running XG v18 or newer, and more efficiently create and edit policies for multiple firewalls at a time.
Configuration (Firewall Rules)
Unable to create WAF Rule when we are having HTTPS Certificate of hosted server
Customer can configure this via single device management
Editing of FQDN hosts/Country Group/Services in Firewall Rule twice will lead to error message “Duplicate entry not allowed”
Instead of editing mentioned objects in firewall rule page, admin can edit these objects in their respective pages
Firewall device shows connected state on firewalls group page even XG side process is not completed.
There is no impact, only UI shows state as “Connected” instead of “Waiting”
Clone firewall rules will not clone all the properties of firewall rules.
Configuration (NAT Rules)
“Add NAT Rule” button is partially overlapped in Safari Browser UI.
In other browsers, admin will not face this issue.
When admin create Loopback and reflexive NAT rule, success message text is wrong, it displays “Couldn’t add NAT rule”
There is no impact, Both the rules create and pushed in firewall successfully.
When admin create hotspot in firewall group then it will create a default firewall and Nat rule which can impact firewall rule ordering.
Firewall and NAT rule ordering can be corrected once admin deletes the auto-created rules(created by hotspot configuration)
Some parent group settings(ex: Web proxy, notification lists) will not be visible in child groups UI
Issue is with UI only, all the settings will be pushed successfully in parent as well as child group firewalls.
Firewall Groups UI
“Something went wrong” pop-up seen in Firewall group page when admin expanded all groups
No impact, pop-up will come and go, after page refresh/tab switch admin won’t see this pop-up again.
Firewall transaction failed for existing Host groups and other entities present in Firewall after joining Firewall device to Group
Error reporting in Task Queue is there to identify which object caused the failure so the admin can manually delete the erring object and retry the full sync operation which will pass
Unable to delete referred default FQDN hosts even after we remove reference from FQDN host group
No workaround as it’s a pre-existing issue
When firewall local admin create/edit objects(ex: FQDN hosts) and central admin want to push the same hosts with different name then it will lead to opcode failure and local admin has to revert his changes.
Through error reporting in Task Queue, Central admin can identify which object caused the failure so the Local admin can manually edit this object in Firewall and retry the full sync operation which will pass.
Been using this since EAP and its a great addition but ive got a question, is there a way to pull configurations from added firewalls yet so that it gives you a quick starting point for Group Policies?? Reason i ask is because ive had to skip the Group management on a couple of occasions as I found that unless you create group policies matching whats already on an imported firewall to go into a group ive found on a couple of occasions that the Central Group Policies have overridden my firewalls local policies? I know this was in the old CFM i used to use until the new Central interrogations for firewalls but i dont seem to be able to see anything similar in Centrals Firewall Group management anywhere? Could somebody point me to where i might find the option to pull Configs / policies from firewall ends pls if its actually there that is??
Many thanks and please keep up the great work as i really love these recent Central additions. (Also if any new EAP's are out or coming soon pls PM me an invite pls I'd be ever so grateful)
Great work guys!!!! Really!
I'am using it since the first EAP.
One thing I'am still missing:
When I create a dynamic object interface, it would be nice to use it in the Firewall Rules.
The dynamic zones are electable in firewall rules.