This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall on AWS: How to Deploy

Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific AWS environment.

Special thanks to  and  


  1. To deploy the XG on AWS Firewall you’ll first need to visit the Sophos AWS Marketplace Product page and choose which listing you would like to use. Currently, XG Firewall is available for standalone deployment using both the BYOL and PAYG licensing methods. Free trial options are available for both license types.

  1. Once the desired listing is chosen, the next step is to subscribe to the software terms by clicking on the ‘Subscribe’ button shown in the upper right corner of the listing screen.

  1. Next, you’ll be prompted to choose configuration options. For Fulfillment Option choose CloudFormation Template, then choose the AWS Region that you wish to deploy to. Next click on the Launch button which will then redirect you to the AWS CloudFormation console.

  1. A CloudFormation template is used to simplify the process of deploying XG Firewall into an AWS account. The redirect from the AWS Marketplace listing page should redirect to the AWS CloudFormation console and begin a Stack creation in your region of choice as shown below. No information is needed on this initial page so you can simply click

  1. On the ‘Specify stack details’ page, enter a descriptive Stack Name and then either accept or modify the default parameters for AMI ID, EC2 Instance size, Public Subnet Availability Zone, and Network Prefix if creating a new VPC as part of the XG Firewall deployment process.

     If you wish to use an existing VPC, you can leave the default settings.

  1. Continue entering Required parameters such as the Trusted Network CIDR that will be used to manage the XG Firewall, confirm the Pricing option you wish to use (BYOL or PAYG), and the SSH Key which will be for shell access to the XG Firewall. If deploying into an existing VPC, enter the VPC ID, an existing Public Subnet ID, an existing Private Subnet ID, and choose to have the template create a new Elastic IP or utilize an existing available EIP. Once all information is entered, click on the Next button to continue.

  1. No items on the next page are required so you can simply click the Next button to continue to the Create Stack

  1. Stack creation typically takes between 5-10 minutes, and once done should change to a CREATE_COMPLETE status as shown below. The Outputs tab will show the EIP assigned to the XG Firewall with a label of Note that after Stack creation the EC2 Instance may still need additional time to complete its startup before it is ready. Status of the EC2 instance can be viewed in the EC2 Console, and the details on the EC2 instance including its physical ID are shown under the Resources tab.

  1. Once the EC2 Instance is running, copy the assigned Public IP and use both https and the webadmin port to begin initial configuration. https://PublicIPAddress:4444. Note that the XG Firewall by default uses a self signed certificate and so your browser will display a warning message. Once you have navigated past the certificate warning you should see the Welcome to Sophos XG Firewall page, click the Click to begin button at the bottom of the screen.

  1. Next you’ll be prompted to perform the basic configuration which includes:
    • Setting a password for the default admin account which will be used to login to the XG Firewall.

    • Configuring a firewall Name and choosing the Time Zone.

    • Registering your XG Firewall by entering an existing XG serial number, starting a 30 day trial which will automatically generate an XG serial number, or by migrating an existing UTM 9 license.

    • If starting a trial you will be redirected to the Sophos XG licensing portal where a new serial number will be generated.

    • Once complete, you will be prompted to Confirm Registration and Evaluation license.

    • Then you must finish by clicking the Initiate License Synchronization

  1. Once Basic setup is complete, the license details will be shown. At the bottom of the screen you can click on Continue to configure advanced settings, but for AWS deployments you simply need to click the Skip to finish button located at the bottom of the screen.

This thread was automatically locked due to age.