
Sophos Firewall
Host the ZTNA gateway on your existing Sophos Firewall, sharing policy and identity context. Simpler than spinning up separate cloud gateways for many deployments.
Sophos ZTNA gives users authenticated, per-application access to private resources without ever putting them on a flat corporate network. Identity-, device-, and posture-based decisions enforce least privilege automatically - on every connection, every time.
VPN gives the user a tunnel to a flat network. ZTNA gives the user a tunnel to one application, validated on every request. That difference closes the lateral-movement and over-privilege gaps that VPN created.
Users connect only to specific applications they’re authorized for. No flat-network subnet exposure. A compromised endpoint can’t pivot to anything it wasn’t already allowed to reach.
Sophos ZTNA integrates with Microsoft Entra ID, Okta, Google Workspace, and standard SAML / OIDC providers. Access decisions ride on the same identity your IdP already manages.
Sophos ZTNA checks the live posture of the device on every connection: OS version, patch level, encryption status, EDR health. Out-of-compliance? Access denied until self-remediation.
Deploy via Sophos’s cloud-delivered ZTNA gateways or host the gateway on your existing Sophos Firewall. Same policy, choose the deployment that fits your environment.
If Intercept X flags an endpoint as compromised, ZTNA cuts off that endpoint’s access automatically. No analyst pivot, no manual session revoke.
Works on Sophos-managed endpoints AND on BYOD devices. Different posture policies per device class, but same per-app access model for the user.
VPN was built when employees were inside the office and the network perimeter was meaningful. That hasn’t been true for years. ZTNA is the access model the modern workforce actually needs.
ZTNA replaces or augments existing remote access. These are the three patterns we see customers move on first.
End-of-life concentrator, painful patching cycle, or just the realization that flat-network VPN doesn’t fit the work pattern any more. ZTNA cuts over per-app, in parallel with the existing VPN.
Retire the concentratorExternal developers, vendor support, seasonal staff. ZTNA gives them access to only the specific apps they need, time-bounded, without enrolling their device into your domain.
Tightly-scoped temp accessAcquired company, separate IdP, can’t merge directories yet. ZTNA gives users from the acquired side access to specific apps in your environment without you joining the domains.
Access without integrationZTNA on its own gives you access control. Combined with the rest of the Sophos stack, you get detection-aware access that adapts as posture changes.

Host the ZTNA gateway on your existing Sophos Firewall, sharing policy and identity context. Simpler than spinning up separate cloud gateways for many deployments.

ITDR detects identity-based attacks at the directory level; ZTNA enforces access decisions based on that intel. Together they form a detection-plus-enforcement loop.

If you want ZTNA plus Endpoint Protection, Mobile, Protected Browser, DNS Protection, and Email Monitoring under one per-user license, the bundle is usually the way to buy.
Request user-based pricing for Sophos ZTNA, or talk to our team about a phased VPN-to-ZTNA migration plan for your environment.