Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Also check out Sophos Firewall AA (Active-Active) deployment with Amazon Transit Gateway (TGW) in AWS!

Introduction

In this document, we'll be talking about how to deploy the Sophos firewall in HA (High Availability) mode a.k.a. Active-Passive mode on the AWS platform. We will be using the Amazon transit gateway (TGW) feature to support the Hub and Spoke model for this deployment.

Overview

The transit gateway facilitates node redundancy for the Sophos Firewalls, and BGP is used to communicate the routing information with the rest of the AWS infrastructure in the customer account.

If you’re interested and want to know more about this technology, check out Amazon's documentation on Transit gateway: https://aws.amazon.com/transit-gateway/

Sophos Firewall is available from the AWS marketplace for High Availability and Fault Tolerance deployment methods. However, in this document, we’ll be focusing on the High Availability deployment method.

It’s recommended to deploy the Sophos Firewall nodes in a separate VPC for traffic management and routing purposes.

While it’s certainly possible to deploy the firewalls into the same VPC as other backend workloads, it’ll require different instructions for the TGW attachment and route table creation. So feel free to contact your Sophos account representative if your setup requires a single VPC deployment.

Prerequisites

1. A valid AWS account to deploy Sophos Firewall.
2. Also, make sure that the Transit Gateway Connect feature is available in the required AWS region, and you can confirm the same from the AWS FAQ document link: https://aws.amazon.com/transit-gateway/faqs 

Network diagram

Here is the network diagram that we’re considering for this deployment. Both the Sophos firewall instances will be deployed in a separate VPC, connecting with the LAN network VPC via the transit gateway.

Note: The IP addresses used in this setup and document are for demo purposes. You can always use other IP addresses in your deployment scenario.

Configuration steps in the AWS console

Sophos Firewall instances deployment

1. (Optional, if you already have a key pair created in your account) Once you have logged into your AWS web console, click Services > EC2 and scroll down to click Key Pairs.
   Click the Create Key pair button, enter an appropriate name, select ppk, and finally click on the Create Key pair button so that the private key gets automatically downloaded to your computer, which can be later used to access the Sophos firewall instance via SSH.
   
   
   
   
2. Click Services > AWS Marketplace Subscriptions > Discover Products and search for Sophos Firewall. In this document, we’ll select the BYOL deployment option.
   
3. You may go through the Overview section and then click the Continue to Subscribe button.
   
   
4. Make sure to read the End Users License Agreement, Privacy policy, and AWS customer agreement, and if you agree to those terms and conditions, click the Continue to Configuration button.
   
   
5. Select Sophos High Availability Firewall for AWS and the latest available software version, the required deployment region, and then click Continue to Launch.
   
   
   
   
6. Select the action as Lauch Cloudformation, and finally, click the Launch button.
   
   
   
   
7. It’ll redirect to the Cloudformation service web page. Keep the settings as-is and click Next.
   
   
   
   
8. Enter an appropriate stack name, keep the AMI ID as autodetect, and select the required instance size from the drop-down list.
   
   
   
   
9. Select Availability zones for each firewall node and ensure both have different AZs selected to achieve High Availability.
   Configure the network address for the new VPC. You need to enter the first two octets of the network IP. We’ll use the default network address 10.15 in this deployment.
   
   Enter the public IP address of the administrator deploying this firewall in the Trusted network CIDR section. This IP address will have full management access (SSH and web Console) to the Sophos Firewall units.
   Enter a desired BGP ASN to represent the Amazon Transit Gateway in the communication with the firewall (default value is 64512; it doesn't need to be changed unless this ASN is already used somewhere in your BGP setup).
   BYOL and PAYG are available in the Pricing option. We’ll select BYOL for the demonstration purpose in this article.
   
   
   
   
10. If you selected the BYOL in the previous step and have already purchased a license from a Sophos partner, you may enter the serial numbers of your registered licenses in the ‘Sophos License Serial Number for Sophos Firewalls field in a comma-separated format (for example, 123456789,23467890).
    Alternatively, you may leave this field empty.
    For the demonstration purpose in this article, we will enter the serial numbers of both the Sophos Firewall devices.
    Enter the admin password of your choice matching with the password complexity policy for the remote access of firewall instances.
    Then select the SSH keypair that was created previously in step #1.
    Enter "yes" in the End User License Agreement field after reading and agreeing to the terms and conditions of Sophos EULA and privacy policy.
    If you wish to opt for the customer experience improvement program, select the "on" option from the drop-down menu or the ‘off’ option. We’ll select On and click Next.
    
    
    
    
11. Optionally, you can add Tags for this deployment or leave the fields as-is.
    Note: There is no need to add the ‘Name’ tag in the Tags section because, by default, the CloudFormation stack name is appended as the name for some of the AWS resources and components such as Transit gateway, VPC, Subnets, EC2 instances, and Load balancer.
    
    
    
    
12. Read through the deployment configuration summary, then turn on the checkboxes for allowing IAM resources creation with custom names and cloud formation CAPABILITY_AUTO_EXPAND permission, and finally click the Create Stack button.
    
    
    
    
13. It’ll show the progress of the stack deployment for both the firewall instances and the associated resources. After a few minutes, it’ll show the status as Create Complete, meaning that both the firewall instances have been deployed successfully.
    
    
    
    

AWS Transit Gateway configuration steps

1. Go to Services > VPC, scroll to the Transit Gateways section, and click Transit Gateways. Select the transit gateway configured by the CloudFormation stack, and from the Actions section, click Modify.
   
   
   
   
2. For the Transit gateway CIDR blocks, click the Add CIDR button and enter a suitable IPv4 network range with a /24 or larger CIDR block you wish to use for the GRE tunnels between the Sophos firewall nodes and the Transit gateway. Click Modify Transit Gateway to save the changes.
   
   
   
   
3. Go to to Transit Gateway Attachments and click Create Transit Gateway Attachment.
   
   
   
   
4. Select the correct transit gateway from the drop-down menu and make sure that VPC is selected as the Attachment type.
   Enter a name to help you recognize the connection in the Attachment Name tag field.
   Select the Sophos Firewalls’ VPC from the VPC ID drop-down menu and select the public-facing subnets of both the firewall nodes in the Subnet IDs section.
   Click Create attachment to complete this transit gateway attachment creation process.
   
   
   
   
5. Similarly, create the Transit gateway attachments for LAN VPC and any other VPC that needs connectivity with the Sophos Firewall instances via the AWS Transit gateway service.
   
   
   
   
6. After all the transit gateway attachments have been created for the required VPCs, click Create Transit Gateway Attachment and select the same transit gateway ID.
   Make sure to select the Attachment type as Connect.
   Enter a name to help you recognize the connection in the Attachment Name tag field.
   Select the Sophos Firewalls’ local VPC from the Transport Attachment ID drop-down menu and click Create attachment to complete creating the attachment.
   
   
   
   
7. Select the newly created Connect attachment from the list, go to the Connect peers tab, and click Create Connect Peer.
   
   
   
   
8. Enter an appropriate name in the Name tag field and keep the Transit Gateway GRE address as Auto-generated unless you wish to use a specific IP address in the CIDR block we previously attached to this transit gateway.
   Enter the WAN network adapter IP address of Sophos Firewall 01 in the Peer GRE address field.
   Set the IPv4 subnet you want to use inside the GRE tunnel by entering it in the BGP Inside CIDR blocks IPv4 field.
   Note: This block needs to be exactly /29 large and part of the non-excluded sections of the 169.254.0.0/16 subnet. For more details, see: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
   Peer ASN as the Sophos firewall's ASN used for BGP peering and finally click Create. This will be configured in the BGP section of Sophos firewall later.
   
   
   
   
9. Create a Connect peer for Sophos Firewall 02 by following the steps mentioned in step #8.
   Ensure that the Peer ASN value is higher than the value entered for Sophos firewall 01 so that it’ll be implemented as a High Availability solution.
   
   
   
   
10. After both the connect peers have been configured, it’ll show the GRE and BGP-related details, which can be used later as a reference while configuring the GRE tunnel and BGP peering in both the Sophos firewall nodes.
    
    
11. Go to Transit Gateway Route Tables and click Create Transit Gateway Route Table to create a new table.
    
    
    
    Enter a name for the table in the Name tag field, select the Transit Gateway used for the attachments earlier from the Transit Gateway ID drop-down menu, and click Create Transit Gateway Route Table.
    
    
    
    
12. Select the Transit Gateway Route Table from the list, navigate to the Associations tab, and click Create Association.
    
    
    
    
13. Select the VPC attachment for the Sophos Firewall created in step # 4 and click Create association.
    
    
    
    
14. Similarly, create another association and select firewall’s connect attachment created previously in step #6.
    
    
15. (Optional) To turn on the Sophos Firewall to receive routing information from other VPCs, IPsec tunnels, and Connect tunnels, you’ll need to add them on the "Propagations" tab:
    1. Go to to the Propagations tab.
    2. Click Create propagation.
    3. Select the relevant VPC, VPN, or Connect tunnel from the Choose attachment to propagate dropdown menu.
    4. Click Create Propagation to complete propagation creation.
       Repeat the above sub-steps for each additional attachment you wish to propagate to the Sophos Firewall via TGW.
       
       
16. (Optional) To enable other VPCs, VPN, and Connect tunnels to receive routing information from the Sophos Firewall, you’ll need to:
    1. Repeat steps 12-15, selecting the remote LAN VPC instead of the Firewall's VPC in step 13.
       
       
    2. Go to to the Propagations tab on the newly created Route Table.
    3. Click Create propagation.
    4. Select the firewall Connect tunnel from the Choose attachment to propagate drop-down menu and click Create propagation to complete propagation creation.
       
       
17. Go to to the Virtual Private Cloud in the left-hand menu and select Route Tables.
    Locate the route table associated with the Sophos Firewalls' WAN subnet
    (This information can be found by selecting a route table associated with the firewall's VPC and checking the Subnet Associations tab).
    
    
    
    
18. Click the Routes tab and then click Edit Routes.
    
    
    
    
19. Click Add route and enter the Transit gateway CIDR configured in step 2.
    Select the TGW created by CloudFormation in the Target list and click Save changes.
    
    
    
    
20. (Optional) To force other subnets to route their traffic through the TGW, you must edit their subnet route tables to send relevant traffic to the gateway. To do so:
    1. Locate the relevant route table.
    2. Open the Routes tab and click Edit Routes.
    3. Click Add route and enter 0.0.0.0/0 as the subnet value (this scenario assumes that all traffic needs to be sent to the TGW to enable additional filtering. Use a specific subnet range if this isn’t the case for your setup).
    4. Select the TGW created by CloudFormation in the previous section from the Target list.
    5. Click Save Routes to store the route table.
       
       
21. With the new Connect configurations created, the next step is configuring the Sophos Firewall nodes with the relevant GRE and BGP details.
    1. In your AWS console, go to Services > VPC.
    2. Go to Transit Gateway Attachments in the left-hand menu.
    3. Select the Connect attachment for the Sophos Firewall node and go to to the Connect peers tab.
    4. Note the address information in the following fields for both the entries that will be required to configure the Sophos firewall nodes:
       
       1. Transit Gateway GRE address.
       2. Peer BGP address.
       3. Transit Gateway BGP 1 address.
          
          

Configuration steps in Sophos Firewall

1. In the AWS console, go to Services > EC2 and click Instances.
2. Select the first Sophos firewall and copy the Elastic public IP address of the instance.
   
   
   
   
3. Open a new web browser tab and access the web console of the first firewall on HTTPS using the public IP copied in Step 2 and append port number 4444.
   Enter the admin credentials and captcha, and click Login.
   
   
   
   Note: If the web console screen shows you the initial assistant setup page for registration, you must register the firewall node first.
   Please follow the steps mentioned in the article or watch the how-to video of registration and basic setup to complete this process.
   KBA: https://support.sophos.com/support/s/article/KB-000035575?language=en_US
   How-to video:https://techvids.sophos.com/watch/uBDMZovVKXTykv3rQjxCsp
4. After logging in, it might show a pop-up window to set the secure storage master key used to store important information in an encrypted format. You can set a key or skip that configuration.
   
   
   
   
5. Go to to CONFIGURE > Routing > BGP.
   Enter the Sophos Firewall's WAN adapter IP address in the Router ID field.
   Enter the BGP Autonomous System number entered in step 8 of the previous section into the Local AS field.
   Click Apply and accept the warning message.
   
   
   
   
   
6. Go to the Neighbors section and click Add.
   Enter the IP address listed under Transit Gateway BGP 1 from step IV into the IPv4 address field.
   Enter the Remote AS as the ASN used by the Transit Gateway (entered in step 9 of the CloudFormation instructions).
   Click Save to store the neighbor settings.
   
   
   
   
   
7. Go to to the Networks section and click Add.
   Enter 0.0.0.0 in the "IPv4/netmask" field and select "/0 (0.0.0.0)" from the drop-down.
   Click Save to store the BGP network advertisement.
   
   
   Note: This assumes all traffic originating from VPCs that receive the firewall’s route through the TGW propagation will be routed through the Sophos Firewall. If you wish to be more selective, enter the specific subnet (or subnets, repeating this step for each subnet) and netmask for your setup.
   
   
8. Go to to PROTECT > Rules and policies > Firewall rules and create relevant firewall rules with action Allow, so the traffic can traverse successfully via the Sophos firewall.
   
   
   
   
9. Please set up a remote shell session of SSH with the Sophos Firewall via the elastic public IP (copied in step 2) and sign in using the admin username and password.
   
   
   
   
10. Select option 4. Device console.
    Enter the following command (replacing the sections between <> with the details found in step IV):
    

    "system gre tunnel add name TGW01 local-gw PortB remote-gw <Transit Gateway GRE address> local-ip <Peer BGP address> remote-ip <Transit Gateway BGP 1 address>"

    
    
    After executing the command, type exit to return to the main menu.
    
    
    
11. Select option 3. Route Configuration, followed by 1. Configure Unicast Routing, and 3. Configure BGP.
    
    
    
    Enter the following commands to turn on BGP multihop (replacing the field between <> with details from step IV of the previous section and step 5 of this section, respectively):
    

    bgp> enable
    bgp# configure terminal
    bgp(config)# router bgp <This Firewall's ASN>
    bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> ebgp-multihop 2
    bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> activate
    bgp(config-router)#write

    
    
    
    
    
12. Type exit to return to the previous configuration level. Repeat until you return to the main menu.
    Select 0. Exit and repeat until the SSH session is closed
    
    
    
    
13. Repeat steps 1-12 for the Sophos Firewall 02.
    Important: Make sure to enter the ASN of the Sophos Firewall 02 instead of the Firewall 01 in the relevant fields.
    
    
    
    
    
    
    
    After connecting the GRE tunnel, the BGP peering would be established between firewall nodes and the TGW. The status can be checked from CONFIGURE > Routing > Information > BGP.
    
    
    
    Go to Services > VPC > Transit Gateways > Transit Gateway Attachments in the AWS console. Select the firewall to connect attachment, and the Connect peers tab’ll show the status as UP for Transit gateway BGP 1 Status.
    
    
    
    

Caveats and additional information

AWS Network Load Balancer configuration

After deployment completes, the network load balancer used by the HA deployment will be configured to perform a health check on the firewall nodes using port TCP 4444.
Since this port is part of the management port range affected by the Trusted Network security group, health checks are expected to fail due to the load balancer not being a part of said trusted network range.



This is intentional as it avoids exposing the management ports or the load balancers to unintended traffic.

To make the AWS Network Load Balancer functional, we recommend modifying the existing health check to match the service port used by the content published on the firewall.

For example, if the WAF (Web Application Firewall) feature is used to accept traffic on port TCP 443, we recommend setting the load balancer's health checks to use the same port. This ensures that service delivery capabilities and health check status are aligned, automatically removing failed firewall nodes from service.

Load balancer considerations for HA deployment

One important thing to note regarding the HA deployment is that due to the default health check using the WebAdmin port (TCP 4444), both nodes are (technically) available from an uptime perspective.

This can become an issue when publishing resources publicly through the load balancer when not accounted for, as the load balancer only checks the target group's node availability by default, not the reachability of resources published through the nodes in the target group.

Given that both the firewall nodes appear up when checking TCP 4444. Still, traffic to the internet only gets routed out through one of the firewalls, and this result in a potential black-hole scenario (when the original requester's source address is unchanged) for any traffic that flows in through the load balancer and subsequently gets directed at the secondary node.

Note: This issue only applies in scenarios where the original request's source address isn’t changed to match one of the firewall node's local IP addresses. This means the network setup that uses the WAF or SNAT combined with DNAT isn’t affected.

To prevent this from happening, Sophos suggests configuring the load balancer's target group health checks to not use the default port (4444), but to check the specific service port used by the backend service and to use DNAT on the firewall nodes to translate the health check port to the relevant the backend system(s).

To illustrate this concept, let's examine an example of a DNAT health check:

This scenario assumes a backend server listening on TCP port 25, with the load balancer publicly using the same port.

For this setup to work and health checks to correctly fail for the secondary node, the following needs to be configured:

• Load balancer health check for the target group containing the Sophos Firewalls needs to be configured to TCP port 25
• Both the firewall nodes need to have a DNAT rule that forwards TCP port 25 traffic to the backend server
• The backend server's subnet must have a route table associated with it that routes either the source's host IP address (or range) or the default gateway to the transit gateway.

With all this in place, the health check on the secondary node will fail, as the return traffic for any request routes through the secondary node will be sent to the primary firewall (as a result of routing preference on the TGW), where it’s subsequently dropped as being out of sync.

This prevents black holes for traffic flowing through the load balancer, as the secondary node will not be a viable target for the traffic until the primary node fails. Upon this time, the secondary node becomes the TGW's preferred route for the advertised network(s), and the health check succeeds.

For more details on health checks for target groups, see: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html 

This concludes the Sophos Firewall HA deployment instructions in this document.

To use the security and scanning features of Sophos firewall, feel free to refer to online documentation repository available via the following link: https://www.sophos.com/en-us/support/documentation/sophos-Sophos-firewall.aspx