Introduction to Sophos SUM (Sophos UTM Manager)


Etienne Liebetrau

Etienne Liebetrau

Sophos has done a fantastic job keeping the full management of Sophos UTM confined to the web UI. In fact, you have to explicitly enable shell access. Compared to some other Linux-based appliances, this is pretty impressive. But what if you have more than one UTM or UTM clusters to manage?

The Sophos UTM Manager (SUM) can monitor and manage multiple UTM deployments from a single location. Those familiar with Microsoft Forefront TMG know about the Enterprise Management Service, and Sophos SUM is essentially the same thing.

This article covers the basics of how Sophos SUM works, what it can do, and takes you through configuring SUM for the first time. Because this is an introduction, it will be light on technical information and heavy on the screen grabs!

What is Sophos SUM, where do I get it and how much does it cost?

Sophos SUM is supplied as a virtual appliance only. You can download the installation ISO here:

You can now install the SUM on any virtual platform or a physical machine. Unlike Sophos UTM, the SUM only requires a single network adapter. The installation is virtually identical to building a UTM.

The Sophos SUM is free, but remember to register it and get a license key before your trial runs out.

Getting started

Once you have completed the build, log on to the SUM and complete the configuration, which will set the host name passwords, etc. Do this by going to https://sumIP:4444. Again, if you have configured a UTM before, this will look and feel familiar. One key difference, however, is this interface only configures the SUM, nothing more.

Connecting a Sophos UTM to the SUM

Because the SUM is not really anything to look at on its own, I suggest connecting your UTM to it. No changes are forced down to the UTM, and it is easy to remove the SUM and its components if you wish to do so. You have to initiate connecting to the SUM from the UTM itself.

To connect your UTM:

  1. Open the UTM Management Console, and browse to Management | Central Management.
  2. Toggle the switch to turn it on.
  3. Add a new host for the SUM.
  4. Click Apply.

Logging on to Sophos SUM

As mentioned earlier, http://SUMip:4444 is only for configuring the SUM itself. To manage your UTM device, you will connect to https://SUMip:4422. Here, you have access to a few sections that allow you to manage your devices remotely:

  • Monitoring
  • Maintenance
  • Management
  • Configuration
  • Reporting


Monitoring lets you see the health of your Sophos UTMs. It allows you to view the threats; licenses; versions; Up2Date resource usage, such as CPU and RAM; services; and availability in a number of different ways. Various icons and indicators inform you of the different aspects of the device, such as Up2Date status, connectivity state, etc. This is the resources view, but it is a common method for rendering and filtering information.


In the maintenance section you can schedule tasks, such as updates, reboots and backups, for your Sophos UTMs. From this interface you also can remotely backup or schedule automated backups, setting the frequency of backups and retention amount. You also can initiate restore jobs from here.


Management covers how the SUM manages and organizes the UTMs. They are broadly grouped by organizational units. The OUs basic policy is defined based on how they are configured. In this section you also can specify global NTP servers, allow or deny access to UTMs, and restrict users or groups


The configuration section is the most functional because it allows you to not only define and distribute common object definitions but also import them from existing UTMs.

  • Step 1: Select the gateway (UTM) and then the object you want to import.
  • Step 2: Switch to the import tab and confirm which object needs to be imported.
  • Step 3: Select the definitions option. Now they are available to deploy to the various organizational units.


The same basic process is used to create and deploy network objects, firewall rules, web filtering policies, etc.


The reporting section aggregates some of the UTMs on box reports and covers the basic metrics you might want to track, such as hardware and network usage over time.

Note: Sophos SUM does not centrally report on web usage across your UTMs. For central web reporting, take a look at Fastvue Sophos Reporter.

As you can see, there are many useful functions in the Sophos SUM, especially if you have multiple UTM devices. It is much easier to define something, such as a firewall rule that has a host and a protocol definition, in one place and have it deployed consistently and uniformly across multiple UTMs.

Up2Date Cache

The SUM also can act as a caching server for the Up2Date updates for your various UTMs. Combined with the Pre-fetching and Install Firmware and Install Pattern maintenance task, you now have a full Patch and Software Management System. This is a key measurable when evaluating the maturity of your perimeter security deployment.

  1. To configure the SUM as a caching server, you need to hop back to the https://SUMip:4444 interface.
  2. Browse to Management | Up2Date and select the Cache tab.
  3. Toggle the switch to turn it on, and specify a Port and Allowed Networks.


On the Sophos UTM side, you simply check the Use SUM server as Up2Date Cache box. It overrides the local Up2Date setting, so there is no need to change anything further.



Managing one or two Sophos UTMs independently is fine. But you should consider using the Sophos SUM when you begin to grow your environment with multiple UTMs at remote sites.

The Sophos SUM is a great management tool, and it's free. Other firewall or gateway solutions, such as those from Fortinet and Checkpoint, charge extra for the management server/service.

I hope you have found this article informative and that it has made you curious enough to want to try the Sophos SUM.

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story

Fastvue Sophos Reporter v2.0 Out Now!

Finally! Fastvue Sophos Reporter v2.0 is now available! Fastvue Site Clean, Private Report Sharing, Better Web Activity Reports, Search Terms and more!

Reporting on WannaCry Ransomware Infected Machines

This article describes how to use Fastvue Sophos Reporter to report on machines potentially infected with WannaCry Ransomware on your network.