Sophos Firewall: Managing Firewall and SD-WAN Orchestration

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

Overview

The purpose of this document is to provide you with information on how to configure SD-WAN orchestration between the local branch and the head office using Sophos Central, whether it’s standalone or in HA.

Topology

Head Office Central Registration

Step 1:Status Deployment

Check the Status of deployment on web-admin, as shown in the screenshot below:

Step 2:Status of HA

Verify the Status of HA under CONFIGURE > System services > High availability

Step 3:Central Registration

Register on Sophos Central under SYSTEM > Sophos Central
Note: Please Register both the Firewalls if deployed in HA

Branch Office Central Registration

Step 1:Deployment status

Check the Status of deployment on web-admin, as shown in the screenshot below:

Step 2: Central Registration

SD-WAN Orchestration

Step 1: Creation of Group

Under Sophos Central > My Products > Firewall Management > Manage Firewalls > Firewalls.

Step 2: SD-WAN Connection Group

Under SD-WAN Connection Groups > Click on Create Connection Group
Sophos Central > My Products > Firewall Management > SD-WAN Connection Groups
Select the firewalls you wish to add under the SD-WAN Orchestration

Step 3: Adding Resources

Click Next to Add Resources for both the Firewalls with the drop-down menu:

Notes: Shared networks will be available to all firewalls that are part of this sharing group. You can Opt in for the following options given below:

Automatically create firewall rules
Limit Access to authenticated users
Configure Synchronized Security Heartbeat

Step 4: Configuring Network

Click Next to Configure Network. Once done, click the finish button.
#Head Office - HA

#Branch Office – Standalone

Note – It can take up to 15-20 mins for the tunnel to come up

Note: If you opted for automatic firewalls, you’d be able to see in the firewall web admin
PROTECT > Rules and Policies

And you’ll be able to see the XFRM Interface under the CONFIGURE > Network > WAN Port > xfrm

And IPsec connection between the HO and BO can also be seen under the CONFIGURE > VPN > IPsec connections.

I hope this article has helped you achieve your requirement and clarified your doubts!

Revamped RR
[edited by: Erick Jan at 6:51 AM (GMT -8) on 17 Jan 2023]

Moses Wamono 14 days ago

Hello, if customer subscribes to Central Orchestration at Head office firewall, is it required to have Central Orchestration Subscribed for each of the branch office firewalls ?

Will Central Orchestration NOT work if branch office FWs do not have central Orchestration subscription but have say simple BASE license?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Vivek Jagad 13 days ago in reply to Moses Wamono
Hey Moses Wamono ,

Thank you for reaching out to the community.

The following requirements would have to be met on all firewalls if you want to use the SD-WAN feature:

SFOS v18.5 MR1 or higher

Central Management activated

Central Orchestration License
Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel