This article describes how to implement a full Active/Active HA Sophos XG on Azure. The deployment makes use of the new Azure standard load balancer with its HA ports feature for outbound load distribution.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Log into the Azure Portal and open another browser tab to browse to the following URL: https://github.com/sophos-iaas/xg-azure-aa.
Scroll down the page and click on the Deploy to Azure button. This will open up the template in the Azure portal.
In the Custom deployment window, configure the following:
In the Terms and Conditions section, tick the checkbox to agree to the terms and click on Purchase
If the deployment is successful, you will be able to connect directly to the WebAdmin of each Sophos XG instance using TCP ports 4444, 4445, 4446 respectively.
If the deployment is successful, you will be able to connect directly to the SSH of each Sophos XG instance using TCP ports 2222, 2223, 2224 respectively.
Run the following command:
ssh admin@<public IP> -p 2222
Enter yes when prompted regarding the authenticity of the host
Enter the admin password when prompted
In the console window, type 5 and press Enter to select Device Management
Type 3 and press Enter to select Advanced Shell
Type the following command:
ip rule show
Verify that an ip rule exists that maps traffic between the XG’s LAN IP (10.42.2.5 in this example) and the Azure Magic IP (126.96.36.199) to route table (“lookup”) 200.
Next, type the following command to display the contents of table 200:
ip route show table 200
Verify that the default route matches the XG’s LAN adapter subnet gateway (by default this is the first IP address of the subnet in Azure, in our example this is 10.42.2.1).
Repeat the above steps for the remaining Sophos XG appliances. Remember to use the right SSH ports to connect to each of them.
The health probe status metric describes the health of the Sophos XG instances according to the load balancer health probe configuration. The Azure load balancer uses the status of the health probe to determine where to send new flows. Health probes originate from an Azure infrastructure address and are visible within the OS of the VM.
Some reasons why health probes may fail include:
In the Azure Portal, go to Load balancers to select any of the load balancers that you want to verify.
In the monitoring section, click on Metrics.
In the Loadbalancer - Metrics window, select the Health Probe Status metric with Avg aggregation type.
We can apply a filter on the required Backend IP address of the Sophos XG instances or port (or both).
Note: The graph may fluctuate but this does not matter as long as the probe status does not get to 0 which is when it is removed from the pool of healthy instances.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.