Guide for Partners - Sophos€¦ · Guide for Partners - Sophos Central Firewall Manager ... Channel Account Manager. Notification for firewall management request . ... Customer can

December 2018 Page 1 of 24

Guide for Partners Sophos Central Firewall Manager Document Date: December 2018

Guide for Partners - Sophos Central Firewall Manager


Contents Change log ...................................................................................................................................... 3

Terminology Convention ............................................................................................................... 4

Overview .......................................................................................................................................... 5

Prerequisites ................................................................................................................................... 5

Compatibility Matrix ....................................................................................................................... 6

Process - Onboarding Sophos Firewalls to CFM ....................................................................... 6

1. Log in to Sophos Central Partner ......................................................................................... 7

2. Sign up for Sophos Central Firewall Manager .................................................................... 9

3. Send Request to Manage Firewalls .................................................................................... 12

4. Approve Firewall Management Request(s) ....................................................................... 13

5. Configure Central Management Settings on Firewall ...................................................... 15 Push Mode ....................................................................................................................................... 15 Fetch Mode....................................................................................................................................... 17

6. Manage Firewalls .................................................................................................................. 18

Advanced Settings ....................................................................................................................... 20

Available Resources .................................................................................................................... 24

Technical assistance ................................................................................................................... 24



Change log Date Description 27-04-2017 Changed document name and updated the content by categorizing steps. 12-06-2017 Updated Process – Onboarding Sophos Firewalls to CFM. 29-08-2017 • Updated Configure Central Management settings on Firewall section.

• Updated Compatibility Matrix and added Compatibility Guide hyperlink. 17-04-2018 Updated screenshots for Configure Central Management Settings on Firewall

and Manage Firewalls.



Terminology Convention Terminology Description

Sophos Firewall XG firewalls, SG UTM and Cyberoam appliances running on SFOS

MySophos/MySophos portal Portal used by Sophos end-users to • register Sophos firewalls • download upgrades • manage subscription licenses • approve request for firewall management

Sophos Partner Portal Portal used by Sophos Partners to • track devices and licenses • manage opportunities • leverage sales and marketing tools

Sophos Central Partner A single place for partners to go to manage the licensing, usage, and trials for Sophos Central products across their entire customer base.

Also offers aggregated alerts and links directly to Sophos Central Admin to provide support to their managed customers and more.

Sophos Central Firewall Manager/ CFM

Cloud based centralized management service to configure and manage multiple Sophos Firewall devices from a single console.

Firewall Registrant or MySophos Account User

User who has registered the firewall in MySophos account, either a partner or a customer.

Primary Partner Contact or Primary Administrator

The primary point of contact of a partner registered with Sophos who can access Sophos Central Partner.

Non-primary Partner Contacts or Non-primary Administrator or Secondary Administrator

Users registered under partner account who can access Partner Portal and Sophos Central Partner except primary partner contact.



Overview Sophos Central Firewall Manager is a cloud based centralized management service which enables Sophos Partners to configure and manage multiple Sophos Firewall devices from a single console.

As a Partner you can also:

Manage and support Customers anywhere, anytime Create new revenue stream by offering managed services to Customers Save on support cost, time and efforts

Sophos Central Firewall Manager (CFM) is currently available only to Sophos Partners and is accessible via Sophos Central Partner. Partners can configure and manage Sophos Firewalls sold by them and linked to their account in Sophos Systems. However, Evaluation hardware devices used for PoC purpose and Demo devices used by partners cannot be managed through CFM.

The target audience for this guide are partners/MSPs who own the device as well as manage them and partners/MSPs who manage the devices owned by customers.

Prerequisites Partner must have access to Sophos Partner Portal. Sophos account manager must enable Sophos Central Partner access. Sophos Firewall must be:

• Registered on MySophos • Accessible via Internet

https://id.sophos.com/?fromURI=https%3A%2F%2Fsophos.okta.com%2Fapp%2Fsalesforce_portal%2Fexk1ukdhmlwvqaUlj0x7%2Fsso%2Fsaml%3FRelayState%3DCommunitiesRedirection%3FlandTo%3Dsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3DCAAAAVsUQaySME8wajAwMDAwMDA0Qzk3AAAAztDCUo00tDvt_3W5Mg2tLKKeFNZARfd5nggKSVDSmjzMPG3yK-8Fldm7iEF3DpYz104nnNEQ05kA5YcHtcFcEG5fOfZ6loqrNT0MRqAXYczbrpGN39bXNZoOwDYNXcfuCarUGXx6nTtSuxsGrnm0WDhNVgh65y8rusiSkja7D-S-PA-7TdqqKxwdcl_zuV2m8zXAT7UA_7GiUqBi5VsbfUQ3YACfPUqkNmTHDYMmn96eJQVe2B7XkbiHAJPgSqDVhSc9pcevhbjygt6A6-fKAXBrYkCyAc9vHSX7E1JaHZyZL8LXT3liGj2eDm7ocGtwpTFzbaE15uHjWGTjA2zeyxpvHGdEpE4yD6fPA69Q4D2zL_McuxvugSz5ubCXcu6BIe0bSBmgdoX9ZB92cSB5aWLMiw2SaGfi9cuJUcvfExHiPm7_ZZP8AzUg1lYyx4qhTPO-an7EX7hDawvDii0v9yGicFqxkIpQ36hCcN3Mm87FKlY25fdb9RxBp88yFTSShgzzPWfFpDFbT-y6uxPdzsuahnnsnGazMZKVIyvil6oGEruy4RQROizNwl5NQYVUVDlITivVcZfAe7I-mhULrg1RJtZzAZqeAPoY-VQjELAG%26display%3Dpopup



Compatibility Matrix Please refer to Compatibility Guide.

Process - Onboarding Sophos Firewalls to CFM

https://www.sophos.com/en-us/support/documentation/sophos-central-firewall-manager.aspx?platform=Compatibility-Document#Compatibility-Document



1. Log in to Sophos Central Partner You can access Sophos Central Partner via:

Sophos Central Partner Partner Portal

Sophos Central Partner Log in using the following link and your Partner Portal credentials:

https://central.sophos.com/manage/partner

Sophos Central Partner access requires a two factor authentication (2FA). That requires username and password together with a piece of information only known to the Partner.





Partner Portal Login to Sophos Partner Portal (http://www.sophos.com/partners) and click Manage Sophos Central to continue with 2FA process to access Sophos Central Partner.

http://www.sophos.com/partners

http://www.sophos.com/partners



2. Sign up for Sophos Central Firewall Manager Go to Sophos Central – Firewalls > Firewall Approvals and click Send Request.

Terms and Conditions of CFM service are displayed. Click ‘I Accept’ to proceed.

Only primary administrator can accept terms and conditions for partner.

Sophos Systems receives your request for approval.

Click Check Status to view the status of your request.



You receive a confirmation email once the request is approved.

Now you can view and manage firewalls through Sophos Central – Firewall.

• Firewall Customers View list of Firewall Customers and Firewalls per Customer and track earliest license expiry of firewalls.

• Firewall Approvals View and manage firewall management requests.



Firewalls linked with the partner account may have following status:

• Requests Not Sent: Shows list of firewalls not yet requested for management. • Approval Pending: Firewalls requested for management but pending approval. • Rejected by Customer: Firewalls requested for management but rejected by

customer. • Revoked by Customer: Managed firewalls for which customer revoked

permission. • Rescinded by Partner: Managed firewalls for which partner rescinds

management. • Approved Firewalls: Firewalls approved by customer for management. • All Firewalls: List of all firewalls with status.

• Manage Firewalls Launch Firewall Manager to configure and manage firewalls.



3. Send Request to Manage Firewalls

Go to Sophos Central – Firewalls > Firewall Approvals to view the firewalls linked to your partner account.

Under Requests Not Sent, select the firewall device and click Request to Manage to send a request to customer asking for approval.

Once you send the request, the device moves to Approval Pending from Requests Not Sent and an email is sent to the customer notifying about this request.

• If a Non-Primary administrator sends a request, the primary administrator receives a notification.

• A firewall can be linked to only one partner account at any given point of time. • If you are not able to see the firewall, contact Channel Account Manager.

Notification for firewall management request Customer receives a notification email with a link to respond via registered MySophos account.



4. Approve Firewall Management Request(s) Customer must login to MySophos account and go to Network Protection > View Devices

to view the request(s) sent by the partner. The status and partner information of the firewall management request is displayed under

Sophos Central Firewall Manager access as Approval Pending.

Customer can view details of the partner who initiated the firewall management request, in the tooltip on the partner company name.

Customer can take following actions: • Accept Selected – To accept management request for selected firewalls. • Reject Selected – To reject management request for selected firewalls. • Revoke Selected – To revoke management request for selected firewalls. • Accept All Awaiting Approval – To accept all management requests in a click. • Reject All Awaiting Approval – To reject all management requests in a click. • Revoke All Managed – To revoke all managed devices in a click.

To approve the firewall management request(s), customer can either click Accept Selected under Central Firewall Manager Access dropdown below the device list or approve all requests at once by clicking Accept All Awaiting Approval.

Click OK to confirm the action.



The status of the requested device changes to Managed. The partner and the customer receive an approval notification email.

Notification for Firewall Management Approval The customer receives an email confirming the approval with further guidelines. The customer and partner are notified even if the request is rejected or the permissions

are revoked for an already managed device.



5. Configure Central Management Settings on Firewall After approving the firewall management request(s) on MySophos, the customer needs to configure Central Management settings on the firewall(s). To configure these settings;

Login to XG Firewall.

Go to System > Administration > Central Management. Turn on Central Management Settings to manage your firewall using CFM.

Push Mode

User should enable HTTPS Service on WAN management/WAN Zone in firewall device and create a firewall rule to enable it only for CFM.



Steps to create firewall rule:

• Go to Protect > Firewall > +Add Firewall Rule. • Enter a Rule Name. • Select Accept as Action. • Select WAN in Source Zones. • Select the FQDN Host created for CFM in Source Networks and Devices.

• Select LAN as Destination Zones.

The FQDN Host for CFM should be created with the FQDN as “us-e1.cfm.sophos.com”

Click Save.



Fetch Mode

Once the central management settings are configured on the firewall device, the device appears under the Discover notification at the top right of CFM as well as on the dashboard as Firewalls waiting for addition.



User doesn’t need to enable WAN management on firewall device.

• All authorized CFM administrators can add devices to CFM from Discover notification

or from Firewalls waiting for addition on the dashboard. • If central management settings are not configured on firewall device it appears under

System Management > Account Settings > Accounts > Device Inventory. • Only primary administrator can access Device Inventory.

6. Manage Firewalls View Firewall Approvals To view list of the firewalls approved for central management go to Sophos Central Firewalls - Firewall Approvals > Approved Firewalls:

• The firewalls for which requests are denied/revoked by the customer appear under Rejected by Customer and Revoked by Customer respectively. Partner can resend requests for these devices.

• In case partner decides not to manage a device anymore and chooses to rescind it, the device appears under Rescinded by Partner.



Launch Firewall Manager Go to Manage Firewalls and click Manage. This opens the Firewall Manager in a new tab.

Authorized administrator can assign the added devices(s) to other administrator(s) for configuration and management.

On dashboard, Firewalls waiting for addition displays devices under Discover , which are waiting to be added. Firewalls waiting for addition appears only when devices are listed in

Discover .



Advanced Settings To view and manage list of administrators who can access Firewall Manager go to Administration > Manage Administrators.

There are two types of Administrators; Primary and Non-Primary.

The Primary administrator has all the administrative privileges including allowing and denying non-primary administrators to access CFM and manage firewalls. Please refer to matrix to understand privileges associated with each administrator type.

Privileges Primary Administrator

Non-Primary Administrator

Sign up for CFM

Enable other partner users to access CFM

Grant administrative privileges

For assigned devices/device groups

Grant device administrator privileges

Add device(s) to CFM from Discover or Firewalls waiting for addition on dashboard

Access Device Inventory

Manage Firewall Approvals

For assigned devices/device groups



The Primary administrator can grant administrator privileges to non-primary administrators through Central Partner as follows:

Go to Administration > Manage Administrators and enable Manage Firewall for the respective admin you want to allow/deny access to manage firewalls.

Go to Sophos Central – Firewalls > Manage Firewalls and click Manage.

On CFM console open System & Monitor.



Go to Account Settings > Administration > User.

Select user and edit to assign Access Profile and Accessible Device.



• To add/remove administrator or to change the Primary Administrator, contact your Channel Account Manager.

• To allow another partner user to manage all the devices:

• Set Access Profile as Administrator for user or • Set Access Profile as Device Administrator and specify all the Device

Groups. For more details click here.

https://community.sophos.com/kb/en-us/121583



Available Resources FAQ

Webinar

Customer guide

Technical assistance For any queries, contact Sophos Customer Support using one of the following methods:

Email id: [email protected]

Telephonic support: 1-888-767-4679

http://docs.sophos.com/nsg/sophos-cloudfirewallmanager/v17.0.0/PDF/FAQs%20-%20Sophos%20Central%20Firewall%20Manager.pdf

http://docs.sophos.com/nsg/sophos-cloudfirewallmanager/v17.0.0/PDF/FAQs%20-%20Sophos%20Central%20Firewall%20Manager.pdf

https://attendee.gotowebinar.com/recording/2072776612407741698

https://www.sophos.com/en-us/support/documentation/sophos-central-firewall-manager.aspx

https://www.sophos.com/en-us/support/documentation/sophos-central-firewall-manager.aspx

mailto:[email protected]

Documents

Guide for Partners - Sophos€¦ · Guide for Partners - Sophos Central Firewall Manager ... Channel Account Manager. Notification for firewall management request . ... Customer can