Sophos XG Firewall: Reference architecture on Azure with dual NIC

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This knowledge base article details how to deploy the Sophos XG Firewall DMZ in Microsoft Azure using a dual NIC architecture. This architecture has the benefit of being able to use Sophos Synchronized Security.

The DMZ can be deployed as a private DMZ or a public DMZ:

  • A private DMZ is the security tier that handles connectivity to the outer world i.e. the Internet.
  • A public DMZ is the security tier that handles hybrid connectivity.

Microsoft recommends that private and public DMZ are separated.

The following sections are covered:

Applies to the following Sophos products and versions
XG on Azure Marketplace

Prerequisites

  • Microsoft Azure subscription.
  • Sophos XG Firewall serial number obtained from a Sophos Partner or from Sophos Sales for BYOL (Bring Your Own License). This serial number is not needed for PAYG (Pay As You Go). You can also register for a free evaluation serial number.
  • An existing Sophos ID account.
  • A Sophos Central account with Sophos Central Server Advanced Licensing. You can sign up for a free trial.

Deploy the Sophos XG Firewall on Azure

The Sophos XG Firewall can be deployed to Azure using different methods: via the Azure marketplace, from the Sophos Iaas github page, using Powershell, using the Azure CLI, using an ARM template. For this deployment, the Azure marketplace is used, but a different deployment scenario may be more suitable for your environment. For example, if you're looking to automate your deployment process, using an ARM template, Powershell or Azure CLI may be more suitable for your scenario.

There are two licensing options available for the XG Firewall on Azure: BYOL and PAYG. More information about licensing is available on the FAQ page.

In this task, we used the BYOL option but you can also select the PAYG option. As part of this process, we created a new resource group to use as a container for all resources that will be created, this is so that we can remove the resources easily afterward.

  1. Go to the Azure Portal and click Create a resource in the upper left corner. In the search bar, type Sophos, press enter and select Sophos XG Firewall.
  2. In the Sophos XG Firewall blade, click on Create.
  3. In the Create Sophos XG Firewall blade, Basics section, configure the following:

    • Subscription: Select the subscription that you want this resource to be associated with.
    • Resource group: Select Create new and choose a name like sophosxg-poc-azure-rg (feel free to follow your preferred naming convention).
    • Region: Select the Azure region that you want to deploy the resource to.
    • VM Name: sophosxgAzureFw01.
    • Password: Enter a complex password (make a note of this password).
    • Confirm password: Confirm the complex password that was previously entered.
    • Click Next: Instance Details.

  4. In the Create Sophos XG Firewall blade, under the Instance Details section, set the following:

    • License Type: BYOL or PAYG (You must have an existing serial number to be able to activate a BYOL deployment).
    • Virtual machine size: Click Choose a size. Search for D2_v2, select D2_v2, and click Select to proceed. You can refer to Purchasing Sophos on Azure to select any of the supported VM sizes.
    • Virtual Network: Click on Create new and configure the following:
      • Name: sophosxg-azure-vnet.
      • ADDRESS SPACE:
        • Address range: 10.10.0.0/16 (feel free to use your preferred IP address scheme).
      • SUBNETS:
        • Subnet name: sophosxg-public-dmz-frontend.
        • Address range: 10.10.254.0/24.
        • Subnet name: sophosxg-public-dmz-backend.
        • Address range: 10.10.1.0/24.
      • Click OK.
    • Public IP name: Click on Create new and configure the following:
      • Name: sophosxgAzureFw01-pip.
      • SKU: Basic
      • Assignment: Static.
      • Click OK.
    • Domain name: Enter a unique domain name (this name must be unique across the entire <azure region>.cloudapp.azure.com domain namespace).
    • Storage Account: Click on Create new and configure the following:
      • Name: sophosxgpocstoreXXXX (add a random number where it says XXXX to have a unique name across the entire core.windows.net domain namespace).
      • Account kind: Storage (general purpose v1)
      • Performance: Standard.
      • Replication: Locally-redundant storage(LRS).
      • Click OK.
    • Click Next: Review + create >.
    • Ensure that the validation passed and click Create. If there’s a failure, review the failure message and go back to the necessary node to fix the issue.
  5. The deployment should now be in progress. Optionally click on the top right corner on the notification button, then click on Deployment in progress to view and monitor the deployment.
  6. Wait until the deployment succeeds before proceeding and then click on Go to resource group.


  7. Verify that you have 10 items in the resource group.



Configure the Sophos XG Firewall

After deploying the XG Firewall, it needs to be activated and synchronize its license (for BYOL deployment) before we can begin to configure its security and networking features. 

Activate the Sophos XG Firewall

The following steps are to be done only if you selected the BYOL deployment model. Not needed for the PAYG deployment model.

  1. In the Azure Portal, click on Virtual machines, select sophosxgAzureFw01, and click on Overview to make a note of the public IP address of the XG Firewall.



  2. Open a new browser tab and type https://<public ip address>:4444, this opens the WebAdmin page of the Sophos XG Firewall deployed earlier (sophosxgAzureFw01). Since you're accessing the Device Management user interface for the first time, you will see a security alert. This indicates that the software requires a certificate, click the Advanced or Proceed link (the display alert varies based on your browser).

    Note: Ensure that you’re accessing this from a network allowing TCP port 4444 outbound to the internet.



  3. Enter the username admin and the password set earlier in the deployment.
  4. Accept the Sophos End-User License Agreement.
  5. Once logged in successfully, follow Sophos XG Firewall: How to register and activate your XG Firewall after a fresh installation to complete the activation process.

Perform basic configuration on the XG Firewall

Traditional networking vs software-defined networking

Most of the Network/System Engineers and Architects are familiar with traditional network architectures that requires the different networks that will be protected to terminate at a physical or logical network interface behind the Sophos XG Firewall. While this architecture is possible with the Sophos XG appliance in the Azure public cloud (please refer to Sophos documentations and videos on how to configure this), this architecture is not scalable and it limits the ability of organizations to take advantage of the benefits of adopting a public cloud strategy like agility and automation. In this task, we will complete the following:

  • Update the firmware of the appliance.
  • Enable Logging on the XG firewall.
  • Modify the gateway failover rule on the XG Firewall to avoid getting the interface error message on the dashboard.
  • Modify the default network security group of the WAN NIC to allow all traffic from the CIDR range that will be used in this example.

Update the firmware of the Sophos XG Firewall by following the instructions on How to upgrade the firmware automatically.

Enable logging on the XG Firewall (we need this for later verification of different features. It's also advisable to configure syslog on the XG to ensure that the logs are centrally stored).

  1. Log into the graphical user interface (GUI) of the sophosxgAzureFw01 firewall at https://<public ip address>:4444.
  2. Go to System services > Log settings to select all and click Apply.
  3. Click OK when prompted.
  4. Modify the gateway failover rule on the XG Firewall. If this is not completed, you may get a similar alert as shown in the picture below, on the XG dashboard. This step will diable ICMP monitoring of the default gateway as Azure default routers cannot be pinged. For more information about Azure routers, refer to Azure Virtual Network frequently asked questions (FAQ).



    • Go to Routing > Gateways and edit the IPv4 gateway.
    • Click Edit under Failover rules section.
    • Modify the protocol from PING to TCP, the port from * to 53, and the IP Address to 8.8.8.8 (you can use any host or port that you want for monitoring as long as it's reachable). Click Save and click OK at the prompt to save the new failover rule.



    • Go back to the Webadmin dashboard to verify the status of the interface which should now be green.



  5. Modify the default network security group of the WAN NIC of the XG Firewall to allow management traffic only from trusted IP addresses. This is to further lock down the ensure that traffic is forced to be routed through the XG Firewall for inspection.

    • From the Azure Portal, go to All resources > SecurityGroup > Inbound security rules and click on allow_webui rule to edit it.
    • In the allow_webui blade, make the following modifications:
      • Source: Change from Any to IP Addresses.
      • Source IP addresses/CIDR ranges: Input your trusted public IP range in CIDR format (e.g. 1.1.1.1/32).
      • Leave the other settings as they are.
      • Click on Save.
    • Click on allow_ssh to edit the rule and make the following modifications:
      • Source: Change from Any to IP Addresses.
      • Source IP address range: Input your trusted public IP range in CIDR format (e.g. 1.1.1.1/32).
      • Leave the other settings as they are.
      • Click on Save.

  6. Modify the default network security group of the WAN NIC of the XG Firewall to allow RDP traffic only from trusted IP addresses. Port forwarding will be enabled to a backend jumphost using RDP later in this documentation.

    • From the Azure Portal, go to All resources > SecurityGroup > Inbound security rules and click on Add.
    • In the Add inbound security rule blade, configure the following:

      • Source: Change from Any to IP Addresses.
      • Source IP address range: Input your trusted public IP range in CIDR format (e.g. 1.1.1.1/32).
      • Source port ranges: *.
      • Destination: Any.
      • Destination port ranges: 3389.
      • Protocol: TCP.
      • Action: Allow.
      • Priority: Leave the default setting.
      • Name: allow_rdp.
      • Leave the other settings as they are.

    • Click Add.

What we have so far

After completing all the steps above, we have the architecture below:

  • A single XG firewall with two NICs.
  • The WAN NIC is connected to the sophosxg-public-dmz-frontend subnet.
  • The LAN NIC is connected to the sophosxg-public-dmz-backend subnet.
  • The sophosxg-public-dmz-frontend subnet has the SecurityGroup NSG associated to it.
  • The WAN NIC is associated to a public IP address resource.

Create a management subnet and configure traffic to flow through the Sophos XG DMZ

This subnet can be used for VMs implementation that hosts management and monitoring capabilities for the components running in the VNet. In this scenario, we will deploy a Windows server that we can use as a Jumphost into this subnet.

Create a new web applications subnet

  1. From the Azure Portal, go to All resources > sophosxg-azure-vnet > Subnets. In the sophosxg-azure-vnet | Subnets blade, click on + Subnet to add a new subnet to the virtual network.
  2. In the Add subnet blade, configure the following: 

    • Name: management-subnet.
    • Subnet address range: 10.10.253.0/24.
    • NAT gateway: None
    • Network security group: None.
    • Route table: None.
    • Leave the other settings as they are.
    • Click Save.

Deploy a Windows server into the new subnet (as a jumphost)

  1. From the Azure Portal, click Create a resource and type Windows Server into the search box, and press enter.
  2. In the Select a plan field, select Windows Server 2016 Datacenter.
  3. Ensure that the deployment is Deploy with Resource Manager, then click on Create.



  4. In the Create a virtual machine blade, in the Basics section, configure the following:

    • Subscription: Select your subscription.
    • Resource group: Use existing and select the sophosxg-poc-azure-rg.
    • Virtual machine name: mgmt-srv-1
    • Region: Automatically populated (make sure it is in the same location as other resources).
    • Availability options: Availability zone.
    • Availability zone: 1
    • Image: Windows Server 2016 Datacenter - Gen1
    • Azure Spot instance: Disabled
    • Size: Click Select size and select the Standard_D2s_v3 size (or any other size that you prefer).
    • Username: azureadmin
    • Password: Type a complex password (Make a note of the password that you use as you will need it later).
    • Confirm password: Confirm the complex password.
    • Public inbound ports: None
    • Would you like to use an existing Windows Server license?: If you already have a valid license agreement with Microsoft, you can click Yes to save on licensing costs. Select No and confirm with your Microsoft reseller if not sure.
    • Click Next: Disks >.

  5. In the Disks section, configure the following:

    • OS disk type: Premium SSD
    • Encryption type: Default
    • Enable Ultra Disk compatibility: No
    • Advanced > Use managed disks: Yes
    • Click Next: Networking >.

  6. In the Networking section, configure the following:

    • Virtual network: Ensure that sophosxg-azure-vnet is selected.
    • Subnet: management-subnet (10.10.253.0/24)
    • Public IP: None
    • NIC network security group: None
    • Leave other settings as default.
    • Click Next: Management >.

  7. In the Management section, leave the settings as default and click Next: Advanced >.
  8. In the Advanced section, leave the settings as default and click Next: Tags>.
  9. In the Tags section, leave the settings as default and click Next: Review + create >.
  10. Ensure that the validation passed and then click Create.
  11. Wait for the deployment to complete.

Create a custom route table (with user-defined routes)

Internet-bound traffic from a subnet is routed via an Azure provided internet gateway. This is an Azure managed, automatically provisioned gateway that does not have the advanced security features of the Sophos XG Firewall. To be able to inspect outbound traffic from a subnet, we will need to create a route table that routes internet bound traffic to the Sophos XG Firewall and then attach the route table to the subnet that we want.

  1. From the Azure Portal, click Create a resource and type Route table into the search box, press enter, and select Route table.
  2. Click Create.
  3. In the Create Route table blade, configure the following:

    • Subscription: Select your subscription.
    • Resource group: Use existing → select the "sophosxg-poc-azure-rg" resource group.
    • Region: Select the same location as the resources that have been deployed.
    • Name: management-subnet-routetable
    • Propagate gateway routes: Yes
    • Click Next: Tags >.
    • Click Next: Review + create >.

  4. Ensure that the validation passed and then click Create.
  5. Wait for the deployment to complete.
  6. From the Azure Portal, type Route tables in the search box, press enter, and select Route tables.
  7. In the Route tables blade, go to management-subnet-routetable > Routes and click Add.
  8. In the Add route blade, configure the following:

    • Route name: subnet-route
    • Address prefix: 10.10.253.0/24
    • Next hop type: Virtual network
    • Next hop address: Empty
    • Click OK.
    • Repeat the step above to add two other routes with the following settings:

      • Route name: vnet-route
      • Address prefix: 10.10.0.0/16
      • Next hop type: Virtual appliance
      • Next hop address: Private IP of the XG backend NIC.
       
      And 
       
      • Route name: internet-route
      • Address prefix: 0.0.0.0/0
      • Next hop type: Virtual appliance
      • Next hop address: Private IP of the XG backend NIC.

    • Note: You can obtain the private IP of the XG Firewall WAN NIC by going to All resources > sophosxgAzureFw01 > Networking > PortA (Use the IP of the internal NIC).

      You should now have the following three routes in the route table:


Attach the route table to the appropriate subnet

  1. From the Azure Portal, type Route tables in the search box, press enter, and select Route tables.
  2. In the Route tables blade, go to management-subnet-routetable > Subnets and click on Associate.
  3. In the Associate subnet blade, click on the drop-down under Virtual network and select the sophosxg-azure-vnet virtual network.
  4. In the Subnet field, select the management-subnet subnet and click OK.

Additional configuration on Sophos XG Firewall

Configure routing

We need to configure the Sophos XG Firewall to route traffic that is going to our internal subnets out of its LAN interface instead of out of its WAN interface.

  1. From the WebAdmin of the sophosxgAzureFw01 firewall, go to Routing > Static Routing. Under the IPv4 unicast route section, click Add and configure the following:

    • Destination IP: 10.10.0.0 (Input the address space of your vNet)
    • Netmask: /16 (255.255.0.0).
    • Gateway: The first IP address in the "sophosxg-public-dmz-backend" subnet. In our scenario, this is "10.10.1.1".
    • Interface: PortA.
    • Distance: Leave default setting (0).
    • Click Save.

Configure RDP port forwarding to the management server

  1. Go to Host and services > IP host > Add.
  2. Configure the following:

    • Name: management-srv-10.10.253.4
    • IP version: IPv4
    • Type: IP
    • IP address: 10.10.253.4

  3. Click Save.
  4. Go to Host and services > Services > Add.
  5. Configure the following:

    • Name: RDP
    • Type: TCP/UDP
    • Protocol: TCP
    • Source port: 1:65535
    • Destination port: 3389

  6. Click Save.
  7. Go to Rules and policies > NAT rules > Add NAT rule > Server access assistant (DNAT).
  8. Configure the following:

    • Select IP host: management-srv-10.10.253.4
    • Click Next.
    • Select public IP address or WAN interface#PortB-10.10.254.4 (Private IP of the XG's WAN interface).
    • Click Next.
    • Services: RDP
    • Click Next.
    • External source networks and devices: Any
    • Click Next.
    • Review the configuration and then click Save and finish.

  9. Go to Rules and policies > Firewall rules and disable the Auto added firewall policy for MTA firewall rule. Click OK when prompted.



Add a firewall rule allowing outbound internet traffic from internal subnets

  1. Go to Rules and policies > Firewall rules > Add firewall rule > New firewall rule.
  2. Configure the following:

    • Rule name: vnet_to_internet.
    • Action: Accept.
    • Tick Log firewall traffic.
    • Rule position: Top
    • Rule group: None
    • Source zones: LAN
    • Source networks and devices: "sophosxg-azure-vnet-10.10.0.0/16" (create network object if it does not exist).
    • During scheduled time: Leave default setting.
    • Destination zones: WAN.
    • Destination networks: Internet IPv4 (Follow the instructions here on how to create this object - Auto-Create an "Internet IPv4" Object On The XG Firewall).
    • Services: Any
    • Set Web policy to Allow All.
    • Tick Scan HTTP and decrypted HTTPS and leave other settings as default.
    • Click Save.

Verify that you can access the management server

  1. Open an RDP client and enter the following:

    • Computer: The public IP of the XG firewall.
    • User name: The username that you configured for the Windows management server (in our case azureadmin).
    • Click Connect.



    • Enter the password that you configured for the Windows server and click OK.



    • Click Yes to the certificate warning.
  2. You should now be connected to the management server through the Sophos XG Firewall.

Verify that the traffic is going through the Sophos XG Firewall

  1. From the RDP session of the management server, open a browser and surf the internet to trigger some outbound traffic.
  2. From the WebAdmin of the XG Firewall, go to Rule and policies > Firewall rules and verify that the traffic is allowed by the two recently created firewall rules.



  3. Click on Log Viewer on the upper right corner of the WebAdmin.
  4. Type 3389 in the search box and press enter. You should be able to see the RDP traffic in the logs containing the information specified below:




    Note:
    If there are no results in the log viewer, make sure that the Log firewall traffic is enabled in the firewall rule and DNAT rule.

What we have done 

 After completing the above sections, we have the architecture below:

  • A single XG Firewall with two NICs.
  • The WAN NIC is connected to the sophosxg-public-dmz-frontend subnet.
  • The LAN NIC is connected to the sophosxg-public-dmz-backend subnet.
  • The sophosxg-public-dmz-frontend subnet has the SecurityGroup NSG associated to it.
  • The WAN NIC is associated to a public IP address resource.
  • A backend subnet called management subnet.
  • A windows server deployed into the management subnet.
  • An Azure route table configured to send all outgoing subnet traffic to the XG firewall.
  • The Azure route table attached to the management subnet.
  • The XG firewall configured to route trafiic going to the vnet out of its backend interface.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Previous article ID: 128102



Modified the Disclaimer
[edited by: DominicRemigio at 7:13 AM (GMT -8) on 11 Mar 2021]
Parents Reply Children
No Data