Sophos Firewall: Managing Firewall and SD-WAN Orchestration

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.


The purpose of this document is to provide you with information on how to configure SD-WAN orchestration between the local branch and the head office using Sophos Central, whether it’s standalone or in HA.


Head Office Central Registration

Step 1:Status Deployment

Check the Status of deployment on web-admin, as shown in the screenshot below:

Step 2:Status of HA

Verify the Status of HA  under CONFIGURE > System services > High availability

Step 3:Central Registration

Register on Sophos Central under SYSTEM > Sophos Central
            Note: Please Register both the Firewalls if deployed in HA

Branch Office Central Registration

Step 1:Deployment status

Check the Status of deployment on web-admin, as shown in the screenshot below:

Step 2: Central Registration

Register on Sophos Central, Under SYSTEM > Sophos Central

SD-WAN Orchestration

Step 1: Creation of Group

Under Sophos Central > My Products > Firewall Management > Manage Firewalls > Firewalls.

Step 2: SD-WAN Connection Group

Under SD-WAN Connection Groups > Click on Create Connection Group
            Sophos Central > My Products > Firewall Management > SD-WAN Connection Groups
Select the firewalls you wish to add under the SD-WAN Orchestration

Step 3: Adding Resources

Click Next to Add Resources for both the Firewalls with the drop-down menu:

Notes: Shared networks will be available to all firewalls that are part of this sharing group. You can Opt in for the following options given below:

  • Automatically create firewall rules
  • Limit Access to authenticated users
  • Configure Synchronized Security Heartbeat

Step 4: Configuring Network

Click Next to Configure Network. Once done, click the finish button.
            #Head Office - HA

#Branch Office – Standalone

Note – It can take up to 15-20 mins for the tunnel to come up

Note: If you opted for automatic firewalls, you’d be able to see in the firewall web admin
        PROTECT > Rules and Policies

And you’ll be able to see the XFRM Interface under the CONFIGURE > Network > WAN Port > xfrm

And IPsec connection between the HO and BO can also be seen under the CONFIGURE > VPN > IPsec connections.

I hope this article has helped you achieve your requirement and clarified your doubts!

Revamped RR
[edited by: Erick Jan at 6:51 AM (GMT -8) on 17 Jan 2023]
Parents Reply Children
No Data