Deploying Sophos Firewall

Using the Initial Setup Wizard

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1020: Deploying Sophos Firewall Using the Initial Setup Wizard

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 1

 Deploying Sophos Firewall Using the Initial Setup Wizard

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use the Initial Setup Wizard to ✓ How Sophos Firewall acts as a zone-based firewall
configure Sophos Firewall. ✓ The multiple layers of protection provided to
detect and block attacks

DURATION

10 minutes

In this chapter you will learn how to use the Initial Setup Wizard to configure Sophos Firewall.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 2

 Connecting Sophos Firewall to the Network

SOPHOS
Protection

2/WAN
1/LAN
The default WAN port
The default LAN port to connect
A different port can be selected in
to for initial configuration
the initial setup wizard

To setup the Sophos Firewall you need to start by connecting to power and then connecting the
LAN port and WAN ports.

On hardware XGS Series and XG Series firewalls the default LAN and WAN ports will be marked. On
software and virtual Sophos Firewalls these will be the first and second network cards.

You will have the option to modify these ports either during the initial setup or once the setup is
complete.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 3

 Additional information in
Command Line Interface (CLI) the notes

SSH Console

Default credentials:
• Username: admin
• Password: admin

These credentials are changed as part of the

initial setup wizard

Although Sophos Firewall is managed through a web interface, it also has a command line interface
(CLI) that is accessible through SSH, a console connection, or you could use a monitor and
keyboard to physically connect to the terminal.

You may want to use the CLI to change the IP address of the management port to be in your LAN IP
range, so that you can connect to the WebAdmin to complete the initial setup wizard.

To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is
‘admin’; you change this as part of the initial setup wizard.

In the slide notes you can find the parameters for a console connection.

[Additional Information]

Console connection parameters:

• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 4

 Simulation: Network Configuration Using the CLI

In this simulation you will use the

CLI to change the IP address of the
management port to be in your LAN
IP range.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CliConf/1/start.html

In this simulation you will use the CLI to change the IP address of the management port to be in
your LAN IP range.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 5

 WebAdmin

Default IP address: 172.16.16.16 (/24)

Port: 4444
WebAdmin URL: https://DeviceIP:4444

Sophos Firewall is configured and managed through a web interface. By default, the device’s IP
address will be 172.16.16.16 and the WebAdmin on a Sophos Firewall runs on port 4444. So, to
connect to the WebAdmin interface you would need to connect to HTTPS://172.16.16.16:4444 on
a brand-new device.

You will receive a certificate error when connecting to the Sophos Firewall because it is using an
untrusted self-signed certificate.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 6

 Initial Setup Wizard

Set a new admin password

Update the firmware

Agree to the licence

Optionally:
• Restore a backup
configuration
• Connect as high-
availability spare

We will now walk through the initial setup of a Sophos Firewall.

On the first page you set a new admin password and accept the terms and conditions. If you are
configuring the firewall on behalf of someone else, they must accept the terms and conditions.

By default, the Sophos Firewall will download and install the latest firmware as part of the initial
setup, however you can deselect this to postpone it until later.

You also have the option to restore a configuration backup, or connect the Sophos Firewall as an
auxiliary device to a high-availability pair. Both of these options will provide a different initial setup
to the full one we are going to show here.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 7

 Initial Setup Wizard

Configure the Internet

connection

This step is skipped if the

WAN port is configured by
DHCP

The Sophos Firewall requires an Internet connection for registration and, if selected, to download
the latest firmware.

You can choose which port to configure the WAN connection on, then you need to specify the IP
address, subnet, DNS server and gateway. When you save these settings the Sophos Firewall will
test the connectivity then allow you to continue with the initial setup.

If the WAN port is connected to a network that provides DHCP, this step will be skipped.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 8

 Initial Setup Wizard

Enter a hostname

Set the time zone

You can enter a fully qualified hostname for your Sophos Firewall, this can be either the internal or
external hostname for the firewall; however, in most scenarios we would recommend using the
internal hostname.

Optionally, you can modify the automatically selected time zone.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 9

 Initial Setup Wizard

Register the Sophos

Firewall

Enter the serial number,

this is prefilled on hardware
devices

Optionally:
• Start a trial
• Migrate a UTM license
• Defer registration

The next step is to register the Sophos Firewall.

If you have a serial number, you can enter it to register your firewall. On hardware XGS Series and
XG Series devices this will be prefilled.

You also have the option to migrate an exiting UTM license, start a trial, or defer the registration
for 30 days.

Deferring the registration can be useful if you are preparing a Sophos Firewall prior to taking it
onsite. It is worth noting that when registration is deferred there are several features that you are
unable to use.

To complete the registration, you need to login with your Sophos ID, and then the Sophos Firewall
will synchronize the license.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 10

 Initial Setup Wizard

Configure the LAN network

Select which ports to bridge

together to create the LAN

Select the gateway

Configure the IP address

Optionally enable DHCP

You have the option to configure the local network configuration, which is different depending on
whether you are deploying a, hardware, virtual or software Sophos Firewall. We will start by
looking at hardware devices.

Here you can select which ports to use for the LAN. All ports selected will be used to create a
single bridged LAN interface.

You can select the gateway for the LAN network to be either the Sophos Firewall, or an existing
gateway, in which case the LAN will be bridged to the WAN.

You can configure the IP address for the Sophos Firewall, and optionally enable DHCP.

Please note that DHCP cannot be enabled if the Sophos Firewall is bridging the LAN and WAN.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 11

 Initial Setup Wizard

Configure the LAN network

Select the LAN port

Select the gateway mode

Configure the IP address

Optionally enable DHCP

For virtual and software devices the configuration is very similar, except instead of selecting ports
to create a LAN bridge interface you select a single LAN port.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 12

 Initial Setup Wizard

Enable protection in the

default outbound firewall
rule

As part of the initial setup wizard the Sophos Firewall will create a default firewall rule for
outbound traffic. Here you have the option of enabling various security options for that firewall
rule.

The options are:

• Protect users from network threats, which will enable an IPS policy.
• Protect users from the suspicious and malicious websites, which will enable a web policy.
• Scan files that were downloaded from the web for malware, which will enable malware
scanning.
• And Send suspicious files to Sophos Sandstorm, which will enable Sandstorm scanning. This
requires ‘Protect users from the suspicious and malicious websites’ to be enabled.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 13

 Initial Setup Wizard

Enter an email address and

sender for notifications

Optionally specify an
internal mail server for
notifications

Optionally enable
automatic backups and
enter an encryption
password

The last piece of configuration is for notifications and backups.

Here you configure recipient and sender email addresses for notifications. You can optionally
choose to configure an internal email server to use to send these.

You can also enable automatic backups, and to use this you need to set an encryption password for
the backup files.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 14

 Simulation: Sophos Firewall Initial Setup Wizard

In this simulation you will configure

Sophos Firewall using the initial
setup wizard.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/InitialSetup/1/start.html

In this simulation you will configure Sophos Firewall using the initial setup wizard.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 15

 Secure Storage Master Key

When you login to the firewall for the first time after installing, you will be prompted to create a
secure storage master key. The secure storage master key is used to provide additional protection
for account and password details stored in the device and in configuration backups.

Once you have set the master key you cannot recover it, which is why the configuration asks you to
confirm that you have stored it in a password manager, or another safe place.

If you do lose the secure storage master key, you will not be able to restore backup or
configurations created with that key.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 16

 Additional information in
Secure Storage Master Key the notes

While the storage master key cannot be recovered, it can be reset. This is done via the command
line using the default super administrator account.

Login to the console of the Sophos Firewall as admin and choose option 2 for System
Configuration, then option 5 to Reset the secure storage master key.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/cliGuide/concepts/ResetSSMK.html

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 17

 Chapter Review

The CLI can be used to change the IP address of the management port so that you can
connect to the WebAdmin to complete the initial setup wizard

The Initial Setup Wizard provides a web interface to configure and register the firewall

The secure storage master key is used to provide additional protection for account and
password details stored in the device and in configuration backups

Here are the three main things you learned in this chapter.

The CLI can be used to change the IP address of the management port so that you can connect to
the WebAdmin to complete the initial setup wizard.

The Initial Setup Wizard provides a web interface to configure and register the firewall.

The secure storage master key is used to provide additional protection for account and password
details stored in the device and in configuration backups.

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 22

Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 23