Hey everyone, I'm really excited to announce the start of the Firewall Group Management Early Access Program! We've been working on this for quite a while now, and it's my pleasure to introduce you to the first early access to firewall group management, in Sophos Central!

New Features

  • Create firewall groups
  • Assign firewalls to a group
  • Edit group policy

Introduction

Upon joining the early access program, you will see two new menu items appear in your Firewall Management menu. "Firewall Groups" and "Task Queue" will appear in your navigation. All of your firewalls will show in both the "Firewalls", and the "Firewall Groups" menus. This is temporary, during the early access program. We didn't want to risk disrupting current Central Management users who weren't participating in the early access program, so we've added the new menu item, as a preview of what the Firewalls menu will become, once we're ready for GA.

In the new Firewall Groups menu, the first thing you might notice, is that your firewalls aren't named the same as they are on the Firewalls menu. When we first launched firewall management at the start of 2019, many of you asked that the firewall name in Central should match the hostname configured on the firewall, so now firewalls running v18 EAP firmware or newer, will display the hostname configured on the firewall itself. 

The second thing you might notice, is that all of the firewalls appear under a heading called Ungrouped. When a firewall is added to Central, it will not be automatically grouped. Any firewalls that are not a member of a group, will appear in this topmost list of ungrouped firewalls. You can create groups with the button at the top, and you may assign firewalls to a group, by selecting the "Edit Group" option on the group's menu.

How Groups Work

Groups are pretty straightforward, but if you're familiar with Sophos Firewall Manager (SFM, or CFM), then it's worth taking a moment to outline the differences. SFM and CFM have a fairly un-structured relationship between groups and the firewalls that are their members. In Central, we've worked to make that more structured, and predictable. First, firewalls may be a member of only one group at a time. In the current EAP release, group structures are flat, but we will expose nested groups later in the EAP, which will allow up to three levels of nested group. 

When a firewall is added to a group, that group (and it's parent groups) full configuration will be synchronized to the firewall. This can take a few minutes to complete, and you can watch the status in the new Task Queue. When editing the group's policy, you'll see a navigation similar to XG firewall itself. When objects, rules, policies, or settings are created or edited, you'll see the change immediately in the group's policy, and a new transaction will be added to the Task Queue. That transaction may be expanded, to show each firewall that will be or has been affected by the change. The firewall will always initiate contact with Sophos Central, and will check to see if any tasks are waiting for them in the queue. This process has been optimized, so a firewall that is online should begin applying changes within just a few minutes of the changes being made in Central. Incomplete will sit in the task queue for up to 30 days. If a firewall has not checked in for 30 days, it will perform a full synchronization of all group configuration, on its next check-in. 

Like with SFM and CFM, Central can't (yet) lock the configuration that it pushes. It will appear alongside any configuration created locally, and can be edited or deleted by administrators logged in locally to the firewall. As you might expect, this creates the possibility of conflicts, between the configuration that Sophos Central is trying to apply, versus the config that is already present on the firewall. Some steps are taken to minimize any problems this can cause. When configuration is pushed, that is dependent on other objects being present, Central will attempt to make sure that those objects are present, and contain the correct values. If they've been changed or removed, they will be updated or re-created, as necessary. In cases where Central can't successfully resolve a conflict, an error will be raised in the task queue. The errors should be clear enough to point out exactly where the conflict is, and allow you to resolve it. This process should be significantly improved from what is possible in SFM and CFM today. 

EAP limitations

This EAP is not feature complete. Numerous items are planned, and will be added as they are completed.

On the Firewall Groups page:

  • Summaries of a groups members, and their status, is planned
  • All information available on the Firewalls list has not yet been added to the Firewall Groups list
  • Firewall Reporting enrollment and availability will be shown more prominently
  • Additional layout and style improvements are planned

When managing group policies

  • Not all areas are supported yet. Look for menu items and tabs with the text grayed out. These pages may be viewed and even edited, but changes will not yet be pushed to firewalls. These will be supported in later EAP releases
  • Not all page UI will reflect the latest v18 version UI. In many cases this is not consequential to the page functionality, but some features may not be represented yet, on some pages. 
  • Some navigation improvements are planned, to show the state of the task queue when inside group polices, and to make it easier to move from the group policy to the task queue.

Dynamic Objects

  • Dynamic objects are not yet available in the EAP, but will be added very soon

A more detailed list is outlined in this thread.

Timeline

  • After EAP 1 is released, expect updates as often as every six weeks
  • The target is to be ready for GA in Q1 2020

Requirements

  • Firewalls must be running XG v18 EAP1 or higher, to be added to groups
  • Firewalls must be internet connected

What to test

Firewall groups

  • Create firewall groups
  • Assign firewalls to groups, verify no unexpected changes happen from joining the group
  • Edit group policies, and verify that changes are applied correctly to each firewall
  • Verify Task Queue shows all transactions expected
  • Remove a firewall from a group and verify behavior of changed items

In event of errors in task queue

  • Do the errors make sense?
  • Are you able to find the source of the problem from the error message provided?
  • After resolving the error, does “Retry” successfully and retry the task

How to join

  1. Login to your Sophos Central account
  2. On the top-right corner of the page, click on the menu under your name
  3. Select Early Access Programs
  4. Look for Firewall Group Membership, and click Join
  5. Follow the steps to finish joining the EAP
  6. Go to your Firewall Management menu to begin testing!

 Known Issues

How to report an issue

  • Instructions on how to report an issue are outlined in [this thread].
Firewall_Group_Management EAP1_Evaluation_Guide.pdf