PRTG P17 – How to Monitor Sophos with PRTG (Step-by-Step Guide)

Monitoring your firewall properly is critical for network stability and security. In this tutorial, you’ll learn exactly how to Monitor Sophos firewall using PRTG with a clean, practical, and production-ready approach.

This guide focuses on:

• Core health monitoring

• Bandwidth & interface tracking

• VPN status monitoring

• Security event logging (Syslog)

• Proper threshold configuration

• Sensors to avoid (prevent performance lag)

Let’s build a stable and professional monitoring setup.

🛠 Step 1: Enable SNMP on Sophos

Go to:

Administration → SNMP

Configure:

• ✅ Enable SNMP

• Version: SNMP v2c (easiest)

• Community: prtg_sophos (example)

• Allowed hosts: IP of PRTG Server

👉 Save configuration.

(Recommended) Enable Syslog

Navigate to:

System Services → Log Settings → Syslog Server

Use Syslog when you want visibility for:

• IPS alerts

• VPN down events

• Attack detection

This is essential for advanced security monitoring.

🖥 Step 2: Add Sophos Device in PRTG

Add the Sophos firewall as a new device inside PRTG.

Ensure:

• SNMP credentials match

• SNMP version = v2c

• Community string is correct

After device creation, proceed to sensor configuration.

📡 Step 3: Add Sensors

We divide sensors into 3 professional groups.

🟢 GROUP 1 – REQUIRED SENSORS (CORE)

These sensors are mandatory when you Monitor Sophos in production.

✅ Ping v2

• Checks whether Sophos is live or dead

• Basic availability monitoring

✅ SNMP CPU Load

• Monitor firewall CPU

• Alert when CPU > 80%

Firewall CPU spikes often indicate:

• IPS load

• Heavy traffic

• Attack attempts

✅ SNMP Memory (Not v2)

• Monitor RAM usage

• Very important if IPS or VPN is enabled

Threshold:

• Warning > 85%

• Error > 95%

If RAM is always around 70–80%:

• ❌ Don’t worry

• Sophos uses cache heavily

• Only act when:

  • 90% persists

  • VPN/IPS disconnects

Important RAM Note

PRTG RAM:
Available = Free RAM + Reclaimable Cache – Reserved
→ It will look lower than actual RAM.

Always check Sophos GUI and set threshold according to system RAM (example: 4GB).

Channel Settings

✅ SNMP Uptime v2

• Detect abnormal reboots

• No threshold required

🟡 GROUP 2 – INTERFACE / BANDWIDTH (HIGHLY RECOMMENDED)

These sensors are critical to properly Monitor Sophos traffic behavior.

✅ SNMP Traffic

Select:

• WAN

• LAN

• Primary VLAN

SNMP Traffic – WAN (Port2_ppp)

Threshold

📌 100 Mbps WAN example:

• Warning: 80 Mbps

• Error: 95 Mbps

SNMP Traffic – LAN (Port1)

📌 LAN usually does not require heavy traffic alerts.

SNMP Traffic – VLAN (Port1.10)

📌 Guest VLANs are frequently abused → set lower thresholds.

🔐 GROUP 3 – VPN & SECURITY (ADVANCED)

✅ SNMP Traffic for VPN

Create SNMP Traffic sensor for:

• ipsec0 (Site-to-Site)

• tun0 (SSL VPN)

• Corresponding VPN interfaces

VPN SSL (tun0) Goal

🎯 Objective:

• No notification when nobody is connected

• Notification when VPN is in use but disconnects

IMPORTANT NOTE

❗ Traffic = 0 ≠ VPN DOWN

If VPN is rarely used:

• DO NOT set traffic threshold

• Only monitor:

  • Errors

  • Syslog VPN events

⭐ Syslog Receiver Sensor (Recommended)

This is critical when you want advanced visibility while you Monitor Sophos.

Use Syslog Receiver to detect:

• VPN down

• IPS blocks

• Attack detected

Set alert keywords:

• IPSec tunnel down

• SSL VPN disconnected

Step 1: Add Syslog Sensor Filters

🔹 Include Filter (ENTIRE LINE STICKER)

🔹 Exclude Filter (ENTIRE LINE STICKER)

⚠ Warning Filter

❌ Error Filter

Step 2: Add Syslog Server on Sophos

Go to:

System services → Log setting → Add

Step 3: Choose Sending Log Types

REQUIRED (for VPN monitoring):

☑ SSL VPN tunnel
☑ Authentication events
☑ System events
☑ Admin events

These 4 minimum groups allow you to:

• Catch VPN up/down

• Capture user login/logout

• Detect reboot/service restart

🔥 Optional (More Complete Logging)

☑ Firewall rules
☑ IPS (Anomaly + Signatures)

Step 4: Set Alert Thresholds

Tune alerts based on production behavior.

Avoid over-alerting.

❌ SENSORS TO AVOID (PREVENT LAG)

When you Monitor Sophos, avoid unnecessary sensors:

❌ SNMP Disk Free (not required for Sophos firewall)
❌ SNMP Process (very resource-intensive)
❌ SNMP Everything Auto-Discovery (creates junk sensors)

Over-monitoring causes PRTG performance degradation.

🎯 Final Thoughts

A proper Monitor Sophos setup is not about adding every sensor available. It’s about:

• Monitoring what matters

• Setting intelligent thresholds

• Avoiding noise

• Protecting PRTG performance

With this structured approach, you now have a clean, scalable, and production-ready monitoring template for Sophos Firewall using PRTG.