This article details how to deploy the Sophos XG Firewall DMZ in Microsoft Azure using a dual NIC architecture. This architecture has the benefit of being able to use Sophos Synchronized Security.
The DMZ can be deployed as a private DMZ or a public DMZ:
Microsoft recommends that private and public DMZ are separated.
The following sections are covered:
Applies to the following Sophos products and versions XG on Azure Marketplace
The Sophos XG Firewall can be deployed to Azure using different methods: via the Azure marketplace, from the Sophos Iaas github page, using Powershell, using the Azure CLI, using an ARM template. For this deployment, Azure marketplace is used, but a different deployment scenario may be more suitable for your environment. For example, if you're looking to automate your deployment process, using an ARM template, Powershell or Azure CLI may be more suitable for your scenario.
There are two licensing options available for the XG Firewall on Azure: BYOL and PAYG. More information about licensing are available in the FAQ page.
In this task, we used the BYOL option but you can also select the PAYG option. As part of this process, we created a new resource group to use as a container for all resources that will be created, this is so that we can remove the resources easily afterwards.
Go to the Azure Portal and click New in the upper left corner. in the new blade, type Sophos and press enter.
In the Everything blade, click Sophos XG Firewall.
In the Sophos XG Firewall blade, click on Create.
In the Create Sophos XG Firewall blade, Basics section, configure the following:
In the Create Sophos XG Firewall blade, under the Instance Details Configure Instance Details section, set the following:
After deploying the XG Firewall, it needs to be activated and synchronize its license (for BYOL deployment) before we can begin to configure its security and networking features.
The following steps are to be done only if you selected the BYOL deployment model. Not needed for the PAYG deployment model.
In the Azure Portal, click on All resources on the left pane, select sophosxgAzureFw01 and click on Overview to make a note of the public IP address of the XG Firewall.
Open a new browser tab and type https://<public ip address>:4444, this opens the WebAdmin page of the Sophos XG Firewall deployed earlier (sophosxgAzureFw01). Since you're accessing the Device Management user interface for the first time, you will see a security alert, this indicates that the software requires a certificate, click the Advanced or Proceed link (the display alert varies based on your browser).
Enter the username admin and the password set earlier in the deployment.
Note: Ensure that you’re accessing this from a network allowing TCP port 4444 outbound to the Internet.
Once logged in successfully, follow Sophos XG Firewall: How to register and activate your XG Firewall after a fresh installation to complete the activation process.
Most of the Network/System Engineers and Architects are familiar with traditional network architectures that requires the different networks that will be protected to terminate at a physical or logical network interface behind the Sophos XG Firewall. While this architecture is possible with the Sophos XG appliance in the Azure public cloud (please refer to Sophos documentations and videos on how to configure this), this architecture is not scalable and it limits the ability of organizations to take advantage of the benefits of adopting a public cloud strategy like agility and automation. In this task, we will complete the following:
Update the firmware of the Sophos XG Firewall by following the instructions on How to upgrade the firmware automatically.
Enable logging on the XG Firewall (we need this for later verification of different features. It's also advisable to configure syslog on the XG to ensure that the logs are centrally stored).
Modify the gateway failover rule on the XG Firewall. If this is not completed, you may get a similar alert as shown in the picture below, on the XG dashboard. This step will diable ICMP monitoring of the default gateway as Azure default routers cannot be pinged. For more information about Azure routers, refer to Azure Virtual Network frequently asked questions (FAQ).
Modify the default network security group of the WAN NIC of the XG Firewall to allow management traffic only from trusted IP addresses. This is to further lock down the ensure that traffic is forced to be routed through the XG Firewall for inspection.
Modify the default network security group of the WAN NIC of the XG Firewall to allow RDP traffic only from trusted IP addresses. Port forwarding will be enabled to a backend jumphost using RDP later in this documentation.
After completing all the steps above, we have the architecture below:
This subnet can be used for VMs implementation that hosts management and monitoring capabilities for the components running in the VNet. In this scenario, we will deploy a Windows server that we can use as a Jumphost into this subnet.
From the Azure Portal, go to All resources > sophosxg-azure-vnet > Subnets. In the sophosxg-azure-vnet - Subnets blade, click on + Subnet to add a new subnet to the virtual network.
In the Add subnet blade, configure the following:
From the Azure Portal in the upper left corner, click New and type Windows Server into the search box and press enter. In the Everything blade, click on Windows Server 2016 Datacenter.
In the Windows Server 2016 Datacenter blade, ensure that the deployment model is Resource Manager, then click on Create.
In the Create virtual machine blade, in the Basics - Configure basic settings section, configure the following:
In the Size - Choose virtual machine size blade, configure the following:
In the Settings - Configure optional features blade, configure the following:
On the Summary blade, ensure that the validation passed and click Create.
Internet bound traffic from a subnet is routed via an Azure provided Internet gateway. This is an Azure managed, automatically provisioned gateway that does not have the advanced security features of the Sophos XG Firewall. To be able to inspect outbound traffic from a subnet, we will need to create a route table that routes internet bound traffic to the Sophos XG Firewall and then attach the route table to the subnet that we want.
From the Azure Portal in the upper left corner, click New and type Route Table into the search box and press enter. In the Everything blade, select Route Table.
In the Route table blade, click on Create.
In the Create route table blade, configure the following:
From the Azure Portal in the lower left corner, click on More Services and type Route Tables in the search box and press enter, then select Route tables.
In the Route tables blade, go to management-subnet-routetable > Routes and click Add.
In the Add route blade, configure the following:
Repeat the step above to add two other routes with the following settings:
Note: You can obtain the private IP of the XG Firewall WAN NIC by going to All resources > sophosxgAzureFw01 > Networking > PortA (Use the IP of the internal NIC).
You should now have the the following three routes in the route table:
From the azure Portal in the lower left corner click on More Services and type Route Tables in the search box and select Route tables.
In the Route tables blade, go to management-subnet-routetable > Subnets and click on Associate.
In the Associate subnet blade, click on Virtual network - choose a virtual network and select the sophosxg-azure-vnet virtual network.
In the Choose subnet blade, select the management-subnet subnet and click OK.
We need to configure the Sophos XG Firewall to route traffic that is going to our internal subnets out of its LAN interface instead of out of its WAN interface.
From the GUI of the sophosxgAzureFw01 Firewall, go to Routing > Static Routing and click Add and configure the following:
Go to Firewall > + Add Firewall Rule and select Business Application Rule.
Configure the following:
Under Firewall, click to disable the rule named Auto added firewall policy (this policy was auto-created by the Email protection MTA).
At the confirmation prompt, click OK, the rule should now be disabled and greyed out.
Go to Firewall > + Add Firewall Rule and select User/Network Rule.
Open an RDP client and enter in the following:
You should now be connected to the management server through the Sophos XG Firewall.
From the RDP session of the management server, open a browser and surf the Internet to trigger some outbound traffic.
From the GUI of the XG Firewall, go to Firewall and verify that the traffic is allowed by the two recently created firewall rules.
Click on Log Viewer on upper right corner of the GUI.
Type 3389 In the search box and press enter. You should be able to see the RDP traffic in the logs containing the information specified below:
After completing the above sections, we have the architecture below:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.