Can I connect my fiber directly to my own firewall w SFP/transceiver?

There's a couple of issues that you'll run into for a consumer and/or small business GPON/XPS-PON shared fiber installation:

1) AT&T has to configure the ONT to work on their network, and that must be done by the AT&T installer who installs that ONT.  It cannot be done over the phone with a CSR or online, or via any other mechanism.  So, you have to have an AT&T installed ONT.

2) A device has to respond to a request that arrives via that ONT with the proper certificate showing that it's an AT&T-provided device with AT&T's firmware in it.  That's supposed to be done by the AT&T-provided Gateway (BGW210, 5268AC).

AT&T actually now uses an all-in-one device, the BGW320 which has the ONT and the Gateway in one enclosure, and uses an SPF+ media converter to connect the fiber to the BGW... but they seem to be having an easier time of getting Nokia 020 ONTs at the moment so some people are getting them.  2 gbps and 5 gbps service require a BGW320.

Hi JefferMC... Thank you very much for a super-fast response.

I think I let the tech go too early then, is what you appear to be saying, because I needed AT&T to install a certificate on my firewall to recognize my device (which, I can appreciate; not a bad plan) as if it's 'their' ONT for my services to operate. 

I see your point...  Ok... I can deal with their modem in line. In all reality, not what I prefer, but not a giant deal breaker either. All I really gain is one less thing to operate on my UPS. 

One small point of clarification; I ended up purchasing the 1G service for now, so I didn't get the newer BGW-505... just the BGW-500. I also haven't looked into the Nokia 020 ONT at all. But based on your previous point, it appears that a physical visit is needed to load a certificate on to a Nokia or my firewall, so either way, it's a service call. 

Ok.. Question answered.. I am resolved to use their modem on the outside and in passthrough mode and we'll see the next step looks like soon.

Thank you again for your time and thoughtful answer.

Best!

Steve

The BGW320 comes in two variants, the -500 and the -505.  Neither is "newer," they're just made by different manufacturers and are supposed to be functionally equivalent.  (Yes, there are probably subtle differences, don't know what any of them are).

I've never known a tech to register anything but an AT&T ONT.  For most people, IP Passthrough on the BGW320 just works.

1. What are they configuring on the ONT to work on their network? I want to skip their ONT entirely. I don't need to configure their ONT. I want to configure my ONT, which I own, so I can configure it. What are the settings needed to connect to the GPON network?
2. Are you talking about 802.1X EAP certificate? You can also download yours easily enough and run your own wpa_supplicant or EAP proxy. Technically savvy users can do this if they want.

1) We cannot discuss such information on this forum.  AT&T requires the use of their equipment, any information to facilitate bypassing their equipment is forbidden by the Community Guidelines.

2) Ditto.

I am in no way trying to bypass AT&T's equipment. On the contrary, I'm trying to authenticate securely and directly to AT&T's equipment.

I am in no way trying to bypass AT&T's equipment.

Oh, really?  Then how should I have interpreted this:

I want to skip their ONT entirely.

The ONT (either in a separate box or in the Gateway that they require you to use) is AT&T equipment.  How can you "skip their ONT entirely" but not "bypass AT&T's equipment."

Oh, right... you only meant that you didn't want to bypass the AT&T equipment outside your home.  Well, that's not a distinction AT&T makes.

It's a huge distinction. AT&T's demarcation point is outside of my home. If I cause problems inside that line, it's my problem. Otherwise, it's theirs.

DEMARC is an old tariffed telephony terminology.  AT&T is very inconsistent these days about how they terminate the fiber as it enters your home.  They may run the outside drop straight to a wall plate next to your ONT/Gateway.

6.13.2 Additional Equipment for AT&T Wired Internet Customers:

AT&T will make available to you certain equipment, which may include one or more of the following:

• a Wi-Fi Gateway (“WG”) located inside your premises;
• anOptical Network Terminal(“ONT”) where AT&T’s fiber network terminates, which may be located inside your premises, on the outside of your premises, in your garage, or in a central location in a MTU environment; and
• anIntelligent Network Interface Device(“iNID”) (which provide your services if you do not have a gateway),

all of which are herein collectively referred to as “Internet Equipment,” required for your Service. If you have not purchased Internet Equipment from AT&T or if previously purchased Internet Equipment is beyond the one-year (1-year) warranty period (from date of installation) and requires replacement, then you agree to pay a monthly equipment fee for the Internet Equipment, as part of your purchase of or continued use of the Service and/or other AT&T services. Equipment fees and purchase options depend on the AT&T Services and/or rate plans you order and the installation options you choose.

The WG is installed inside your premises and is required for the Service to function. A WG allows multiple devices to connect and communicate to the internet wirelessly. Smartphones, tablets and laptops are common devices that access the internet through a WG. A WG resides indoors and has a power cord that plugs into a common electrical outlet. A battery backup is recommended in case of a power outage. Some WGs have an external battery backup while others have an internal battery backup. AT&T will install the WG. Once the WG has been installed by AT&T, you may not move the WG to a different location or reposition at your address or any other address. Our latest WGs combine the WG and the ONT into a single device, but many older WGs still require a separate ONT to operate.

and

6.2.4.4 Home Network Management and Security:

AT&T reserves the right to manage remotely any equipment used to access any Internet Service, whether that equipment is connected via a wired or wireless connection. That may include facilitating the connection of that equipment, monitoring traffic for potential issues, managing applicable settings and/or remotely updating software or firmware

"AT&T will make available to you certain equipment" indicates it's not required. I don't need the "WG" part of the "Service". I see they are allowed to charge me for it, even if I don't use it.

I wish them luck in remotely managing my router. I watch hackers try all the time.