Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This knowledge base article details how to deploy the Sophos XG Firewall DMZ in Microsoft Azure using a dual NIC architecture. This architecture has the benefit of being able to use Sophos Synchronized Security.The DMZ can be deployed as a private DMZ or a public DMZ:
Microsoft recommends that private and public DMZ are separated.
The following sections are covered:
Applies to the following Sophos products and versionsXG on Azure Marketplace
The Sophos XG Firewall can be deployed to Azure using different methods: via the Azure marketplace, from the Sophos Iaas github page, using Powershell, using the Azure CLI, using an ARM template. For this deployment, the Azure marketplace is used, but a different deployment scenario may be more suitable for your environment. For example, if you're looking to automate your deployment process, using an ARM template, Powershell or Azure CLI may be more suitable for your scenario.There are two licensing options available for the XG Firewall on Azure: BYOL and PAYG. More information about licensing is available on the FAQ page.In this task, we used the BYOL option but you can also select the PAYG option. As part of this process, we created a new resource group to use as a container for all resources that will be created, this is so that we can remove the resources easily afterward.
After deploying the XG Firewall, it needs to be activated and synchronize its license (for BYOL deployment) before we can begin to configure its security and networking features.
The following steps are to be done only if you selected the BYOL deployment model. Not needed for the PAYG deployment model.
Most of the Network/System Engineers and Architects are familiar with traditional network architectures that requires the different networks that will be protected to terminate at a physical or logical network interface behind the Sophos XG Firewall. While this architecture is possible with the Sophos XG appliance in the Azure public cloud (please refer to Sophos documentations and videos on how to configure this), this architecture is not scalable and it limits the ability of organizations to take advantage of the benefits of adopting a public cloud strategy like agility and automation. In this task, we will complete the following:
Update the firmware of the Sophos XG Firewall by following the instructions on How to upgrade the firmware automatically.Enable logging on the XG Firewall (we need this for later verification of different features. It's also advisable to configure syslog on the XG to ensure that the logs are centrally stored).
After completing all the steps above, we have the architecture below:
This subnet can be used for VMs implementation that hosts management and monitoring capabilities for the components running in the VNet. In this scenario, we will deploy a Windows server that we can use as a Jumphost into this subnet.
Internet-bound traffic from a subnet is routed via an Azure provided internet gateway. This is an Azure managed, automatically provisioned gateway that does not have the advanced security features of the Sophos XG Firewall. To be able to inspect outbound traffic from a subnet, we will need to create a route table that routes internet bound traffic to the Sophos XG Firewall and then attach the route table to the subnet that we want.
We need to configure the Sophos XG Firewall to route traffic that is going to our internal subnets out of its LAN interface instead of out of its WAN interface.
Open an RDP client and enter the following:
After completing the above sections, we have the architecture below:
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.Previous article ID: 128102
Please try to create a LAN-to-LAN firewall rule with action as Allow on XG firewall, so that it allows intra-VNET traffic.
I follow up above architecture and then I created a new management server in management subnet. But I cannot talk to mgmt-srv-1 between the same vnet
I have followed this guide step by step but cannot get Internet on any VMs within Azure. Does anyone have any suggestions?