We are super excited to announce the early access program for SD-WAN VPN Orchestration in Sophos Central.  If you’ve ever setup more than a couple of VPN tunnels between different firewalls, you know how time consuming and tedious this process can be.  Sophos Central Orchestration makes interconnecting VPN tunnels between multiple Sophos Firewalls a quick and easy task.

See how it works

The new SD-WAN VPN Orchestration tools in Sophos Central enables you to share network resources across a distributed network with just a few clicks.  Whether you need a full mesh network, hub-and-spoke topology, or something in-between, Sophos Central will automatically take care of all the necessary tunnel and firewall setup to enable your SD-WAN overlay network.

You simply select the firewalls you have under management that you wish to participate in the SD-WAN connection group, and then select the network resources you wish every site to have access to, and with the flip of a switch, you essentially watch your SD-WAN VPN overlay network come to life as all the necessary firewall access rules and tunnels are created for you automatically.

What you need to take advantage of this

There are three pre-requisites for Central SD-WAN VPN Orchestration:

  1. Participating firewalls must be running SFOS v18.5 MR1 (Get it here)
  2. Participating firewalls must be managed from Sophos Central (instructions here)
  3. Participating firewalls must have a trial or license for Central Orchestration (see below)

Central Orchestration is a new license subscription available as a 30-day trial on all Sophos (XG) Firewall devices running SFOS.  Central Orchestration is included at no extra charge as part of the new Xstream Protection bundle for Sophos Firewall and is available as a separate license subscription as well.

While all Sophos (XG) Firewall licenses are scheduled to be migrated to the new licensing scheme in the next few weeks, you can activate a Central Orchestration trial now through MySophos to get started with the EAP right away:

  1. Login to the MySophos Portal at com/mysophos
  2. Navigate to: Network Protection > View Devices and click on the device you wish to activate the trial for to pop-open the license details for that device
  3. Check the box to evaluate Central Orchestration and click Try Now (see screen shot below)
  4. The license update will synchronize with the firewall within 24-hours but you can manually synchronize from the firewall under Administration > Licensing

Central Firewall Reporting Advanced

The new Central Orchestration subscription license also includes Central Firewall Reporting Advanced with 30-days of data retention in Sophos Central.  This enables you to take advantage of all the great new Sophos Central reports and custom reporting tools to get deep insights across your entire estate of firewalls or any firewall group. 

You can easily extend data retention up to a year through additional storage licenses.  Check out the storage estimation tool to get a feel for what’s best.

In addition, Central Firewall Reporting Advanced also includes the Sophos XDR/MTR connector which enables firewall data to be shared for cross-product Extended Detection and Response and our 24/7 Managed Threat Response service.

What Sophos Central Firewall Features Are Coming Next

Sophos Central SD-WAN VPN Orchestration is expected to be generally available in early August, but the team is continually adding new features to Sophos Central for firewall management and reporting. There are two additional features coming to Central Orchestration within the coming weeks to make this capability even more helpful…

  • Multiple WAN Link Support – enabling redundant tunnels across two WAN links. The current implementation only supports a single WAN link. This enhancement is expected in September.
  • Enhanced NAT’d Firewall Support – supporting firewalls behind NAT devices in more scenarios to improve flexibility. This is expected to roll-out following GA.

In addition, new features are planned later this year for Central Management and Reporting including:

  • Enhanced Partner Dashboard inventory view
  • Streamlined onboarding of new firewalls for partners
  • Firewall rule pinning
  • Enhancements to backups and alerting
  • Management APIs
  • Added AWS region support
  • Numerous usability enhancements

Please share your feedback in the community forums to help make this release the best it can be.