Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: HA (Active-Passive) deployment with Amazon Transit Gateway (TGW) in AWS

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Please note that Sophos Support will not assist in deploying your Firewall, if you require assistance with the deployment please reach out to Professional Services.

Also check out Sophos Firewall AA (Active-Active) deployment with Amazon Transit Gateway (TGW) in AWS!

Introduction

In this document, we'll be talking about how to deploy the Sophos firewall in HA (High Availability) mode a.k.a. Active-Passive mode on the AWS platform. We will be using the Amazon transit gateway (TGW) feature to support the Hub and Spoke model for this deployment.

Overview

The transit gateway facilitates node redundancy for the Sophos Firewalls, and BGP communicates routing information with the rest of the AWS infrastructure in the customer account.

If you’re interested and want to know more about this technology, check out Amazon's documentation on Transit gateway: https://aws.amazon.com/transit-gateway/

Sophos Firewall is available from the AWS marketplace for High Availability and Fault Tolerance deployment methods. In this document, we’ll focus on the High Availability deployment method.

It’s recommended to deploy the Sophos Firewall nodes in a separate VPC for traffic management and routing purposes.

While it’s certainly possible to deploy the firewalls into the same VPC as other backend workloads, it’ll require different instructions for the TGW attachment and route table creation. So feel free to contact your Sophos account representative if your setup requires a single VPC deployment.

Prerequisites

  1. A valid AWS account to deploy Sophos Firewall.
  2. Also, make sure that the Transit Gateway Connect feature is available in the required AWS region, and you can confirm the same from the AWS FAQ document link: https://aws.amazon.com/transit-gateway/faqs 
  3. For BYOL deployments, pre-register for free 30 days trial serial keys using the following link because entering the serial key is a mandatory step during the BYOL HA deployment process:
    https://www.sophos.com/en-us/products/next-gen-firewall/free-trial
  4. Access to Sophos Central account. If you do not have a Central account, you can create a new one by following the steps mentioned in the link below:
    https://docs.sophos.com/central/customer/help/en-us/GettingStarted/CreateAccount/index.html

Network Diagram

Here is the network diagram that we’re considering for this deployment. Both the Sophos firewall instances will be deployed in a separate VPC, connecting with the LAN network VPC via the transit gateway.

Note: The IP addresses used in this setup and document are for demo purposes. You can always use other IP addresses in your deployment scenario.

Configuration steps in the AWS console

Sophos Firewall instances deployment

  1. (Optional, if you already have a key pair created in your account) Once you have logged into your AWS web console, click Services > EC2 and scroll down to click Key Pairs.
    Click the Create Key pair button, enter an appropriate name, select ppk, and finally click the Create Key pair button so that the private key is automatically downloaded to your computer. You can later use it to access the Sophos firewall instance via SSH.



  2. Access the GitHub repository using the link below:
    https://github.com/sophos-iaas/aws-cf-templates/blob/master/xg/README.md

  3. Under the High Availability / TGW section, you can see two deployment options available:
    Pay As You Go (PAYG) and Bring Your Own License (BYOL).
    For this document, we are considering BYOL option, so click on the Launch Stack button.


  4. This will open your AWS web console and redirect you to the CloudFormation stack page, which has an S3 URL referring to the HA deployment template. Click on the Next button.


  5. Enter an appropriate stack name, keep the AMI ID as autodetect and select the required instance size from the drop-down list.
    Select Availability zones for each firewall node and make sure that both have different AZs selected to achieve High Availability.
    Configure the network address for the new VPC. You just need to enter the first two octet of the network IP. We will use the default network address 10.15 in this deployment.
    Enter the public IP address of the administrator deploying this firewall in the Trusted network CIDR This IP address will have full management access (SSH and Web Console) to both the Sophos Firewall units. 

    Enter the Public Network as 0.0.0.0/0 or you can enter a specific IP address that will have access to all the ports from outside except the management port 22 and 4444.
    Enter a desired BGP ASN to represent the Amazon Transit Gateway in the communication with firewall (default value is 64512, doesn't need to be changed unless this ASN is already used somewhere in your BGP setup).

  6. Enter the serial numbers of your registered licenses in the ‘Sophos Firewall Serial Numbers’ field in a comma-separated format (for example 123456789,23467890).
    Enter the name of the firewall EC2 instances, and this name will also be used as their hostname.
    Enter the admin password of your choice matching with the password complexity policy for the remote access of firewall instances.
    Enter the configuration backup password and Secure Storage Master Key (SSMK).
    Enter the email ID of your Sophos Central account and its password. Both the firewalls would be managed from this central account for firewall management policies and other configurations.
    The S3 bucket name is an optional field, and this can be used for the backup-restore process. You can leave this field blank.
    Then select the SSH keypair that was created previously in step #1.
    The logs of Sophos Firewall EC2 instances can be stored in CloudWatch and if you wish to have this functionality enabled, then select yes from the drop-down list.



  7. Enter "yes" in the End User License Agreement field after reading and agreeing to the terms and conditions of Sophos EULA and privacy policy.
    Now, if you wish to opt for the customer experience improvement program, you can select "on" option from the dropdown menu or select the ‘off’ option. We will select On and click on Next.



  8. Optionally, you can add Tags for this deployment or leave the fields as-is.
    For the demonstration purpose in this article, we will add OwnerName and Department tag for this CloudFormation stack deployment and click on Next.



  9. Read through the deployment configuration summary, then enable the checkboxes for allowing IAM resources creation permission and finally click on Submit button



  10. It will show the progress of the stack deployment for both the firewall instances and the resources associated with it. After 15-20 minutes, it will show the status as Create Complete which means that both the firewall instances have been deployed successfully.






AWS Transit Gateway configuration steps

  1. Navigate to Services > VPC and scroll down all the way to Transit Gateways section and click on Transit Gateways. Select the transit gateway configured by the CloudFormation stack and from the Actions section click on Modify.



  2. For the Transit gateway CIDR blocks, click the Add CIDR button and enter a suitable IPv4 network range with a /24 or larger CIDR block you wish to use for the GRE tunnels between the Sophos firewall nodes and the Transit gateway. Click Modify Transit Gateway to save the changes.



  3. Navigate to Transit Gateway Attachments and click Create Transit Gateway Attachment.
    Select the correct transit gateway from the dropdown menu and make sure that VPC is selected as the Attachment type.
    Enter a name that will help you recognize the connection in the Attachment Name tag field
    Select the Sophos Firewalls’ VPC from the VPC ID dropdown menu and make sure to select the public facing subnets of both the firewall nodes in the Subnet IDs section.
    Click Create attachment to complete this transit gateway attachment creation process.

  4. Similarly create the Transit gateway attachments for internal LAN VPC and any other VPC also that needs the connectivity with the Sophos Firewall instances via the AWS Transit gateway service.

  5. After all the transit gateway attachments have been created for the required VPCs, click Create Transit Gateway Attachment and select the same transit gateway ID. Make sure to select the Attachment type as Connect.
    Enter a name that will help you recognize the connection in the Attachment Name tag field
    Select the Sophos Firewalls’ local VPC from the Transport Attachment ID dropdown menu and Click Create transit gateway attachment.



  6. Select the newly created Connect attachment from the list, navigate to the Connect peers tab and click Create connect peer.



  7. Enter an appropriate name in the Name tag field and keep the Transit Gateway GRE address as Auto generated unless you wish to use a specific IP address in the CIDR block we previously attached to this transit gateway.
    Enter the WAN network adapter IP address of Sophos Firewall 01 in the Peer GRE address
    Set the IPv4 subnet you want to use inside the GRE tunnel by entering it in the BGP Inside CIDR blocks IPv4 field.
    Note: This block needs to be exactly /29 large and part of the non-excluded sections of the 169.254.0.0/16 subnet. For more details, see: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
    Peer ASN as the Sophos firewall's ASN used for BGP peering and finally click on Create. This will be configured in BGP section of Sophos firewall later.



  8. Create Connect peer for Sophos Firewall 02 by following the same steps as mentioned in above step.
    Ensure that the Peer ASN value is different from the value configured for primary firewall, so that it will be implemented as AP (Active-Passive) deployment solution.

  9. After both the connect peers have been configured, it will show the GRE and BGP related details which can be used later as a reference while configuring GRE tunnel and BGP peering in both the Sophos firewall nodes.

  10. Navigate to Transit Gateway Route Tables and click Create Transit Gateway Route Table to create a new table.
                                    Enter a name for the table in the Name tag field and select the Transit Gateway used for the attachments earlier from the Transit Gateway ID dropdown menu and click Create Transit Gateway Route Table.

      11. Select the Transit Gateway Route Table from the list and navigate to the Associations tab and click Create association.

 


     12.  Select the VPC attachment for the Sophos Firewall created in step # 3 and click Create association.



   13. Similarly, create another association and select the firewall’s connect attachment created previously in step #5.



After this configuration, you will see two associations under this route table.

   14.  To enable the Sophos Firewall to receive routing information from other VPCs, IPsec tunnels and Connect tunnels, you will need to add them on the       "Propagations" tab:

  • Navigate to the Propagations tab.
  • Click Create propagation.
  • Select the relevant internal LAN VPC, VPN or Connect tunnel from the Choose attachment to propagate dropdown menu.
  • Click Create propagation to complete propagation creation.

Repeat the above sub-steps for each additional attachment you wish to propagate to the Sophos Firewall via TGW.


   15.  To enable other VPCs, VPN and Connect tunnels to receive routing information from the Sophos Firewall you will need to:

Create a new transit gateway route table and select the internal LAN VPC



  • Navigate to the Propagations tab on the newly created Route Table.
  • Click Create propagation.
  • Select the firewall Connect tunnel from the Choose attachment to propagate dropdown menu and click Create propagation to complete propagation creation.

   16.  Navigate to the Virtual Private Cloud in the left-hand menu and select Route Tables.
Locate the route table associated with the Sophos Firewalls' WAN subnet
(This information can be found by selecting a route table associated with the firewall's VPC and checking the Subnet Associations tab).

   17.  Click on the Routes tab and then click Edit routes.

   18.  Click Add route and enter the Transit gateway CIDR.
Select the TGW created by CloudFormation in the Target list and click Save changes.

   19. In order to force other subnets to route their traffic through the TGW, you will need to edit their subnet route tables to send relevant traffic to the gateway. To do so:

  • Locate the relevant route table.
  • Open the Routes tab and click Edit routes.
  • Click Add route and enter 0.0.0/0 as the subnet value (this scenario assumes that all traffic needs to be sent to the TGW to enable additional filtering. Use a specific subnet range if this is not the case for your setup).
  • Select the TGW created by CloudFormation in the previous section from the Target list.
  • Click Save routes to store the route table.

With the new Connect configurations created, the next step is to configure the Sophos Firewall nodes with the relevant GRE and BGP details.
   I. In your AWS console, navigate to Services > VPC.
   II. Navigate to Transit Gateway Attachments in the left-hand menu.
   III. Select the Connect attachment for the Sophos Firewall node and navigate to the Connect peers tab.
   IV. Note the address information in the following fields for both the entries that will be required to configure the Sophos firewall nodes:
          a. Transit Gateway GRE address.
          b. Peer BGP address.
          c. Transit Gateway BGP 1 address.


Configuration steps in Sophos Firewall

  1. In the AWS console, go to Services > EC2 and click Instances.
  2. Select the first Sophos firewall and copy the Elastic public IP address of the Primary Firewall instance.



  3. Open a new web browser tab and access the web console of the first firewall on HTTPS using the public IP copied in Step 2 and append the port number 4444.
    Enter the admin credentials and captcha and click on Login.




  4. After logging into the device, it will go through the device claim(registration) process.
    It will auto-detect the serial key that was entered previously during the CloudFormation deployment stage. Click on Continue.

Next step is for the claiming the firewall in the Sophos Central account, so click on the option Claim in Sophos Central

It will redirect to the Sophos Central Firewall licensing page and you can claim the firewall for 30 days of trial license. Click on Claim firewall.

After this step, it will show the license status of the firewall instance and then click on Continue to go to the Dashboard page.

    5. Navigate to SYSTEM > Administration > Admin and user settings and add -01 to the hostname of the firewall, to identify it easily from Sophos Central Firewall management section.

    6.  Navigate to CONFIGURE > Routing > BGP.
        Select Route ID assignment as Manual.
        Enter the Sophos Firewall's WAN adapter IP address in the Router ID field.
        Enter the BGP Autonomous System number of the primary firewall into the Local AS field.
        Click Apply to save the configuration.

    7. Navigate to the Neighbors section and click Add.
        Select the IP version as IPv4.
        Enter the IP address listed under Transit Gateway BGP 1 noted from AWS configuration section into the IPv4 address field.
        Enter the Remote AS as the ASN used by the Transit Gateway.
        Click Save to store the neighbor settings.

    8. Navigate to PROTECT > Rules and policies > Firewall rules and create relevant firewall rules with action Allow, so that the traffic can traverse successfully via the Sophos firewall.

    9. Navigate to System > Administration >Device access and enable Dynamic Routing option for the VPN zone.

    10. Set up a remote shell session of SSH with the Sophos Firewall via the elastic public IP and sign in using the admin username and its password.

    11. Select option 4. Device console.
          Enter the following command (replacing the sections between <> with the details found in step IV): "system gre tunnel add name TGW01 local-gw PortB            remote-gw <Transit Gateway GRE address> local-ip <Peer BGP address> remote-ip <Transit Gateway BGP 1 address>".

After the command is executed successfully, type exit to return to the main menu.

    12. Select option 3. Route Configuration, followed by 1. Configure Unicast Routing and 3. Configure BGP.

Enter the following commands to establish BGP neighbourship with Transit Gateway via GRE tunnel:

bgp> enable
bgp# configure terminal
bgp(config)# router bgp <This Firewall's ASN>
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> ebgp-multihop 2
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> activate
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> default-originate
bgp(config-router)# route-map primary-firewall permit 10
bgp(config-route-map)# set as-path prepend <This Firewall's ASN>
bgp(config-route-map)# exit

bgp(config-router)#address-family ipv4 unicast
bgp(config-router-af)#
neighbor <Transit Gateway BGP 1 IP> default-originate route-map primary-firewall
bgp(config-router-af)#
neighbor <Transit Gateway BGP 1 IP> route-map primary-firewall out
bgp(config-router-af)#
exit-address-family
bgp(config-router-af)# exit
bgp(config-router)# exit
bgp(config)#write

The show run command will show the output of BGP configuration as follows:

    13. Type exit to return to the previous configuration level. Repeat until you return to the main menu.
          Select 0. Exit and repeat until the SSH session is closed

    14.  To verify whether the BGP neighbourship is established, check the BGP summary by navigating to CONFIGURE > Routing > Information > BGP.

This completes the configuration of Sophos Firewall 01.

    15.  Access the Secondary Firewall using its elastic IP address and complete the claim(registration) process.
           You can repeat instructions of steps #1 to 4 using Sophos Firewall 02 public IP.

    16.  Update the hostname of this firewall by adding -02.

    17. Configure BGP on the Firewall 02 as follows:

    18.  Navigate to PROTECT > Rules and policies > Firewall rules and make sure to create relevant firewall rules with action Allow, so that the traffic can traverse      successfully via the Sophos firewall.

    19. Navigate to System > Administration >Device access and enable Dynamic Routing option for the VPN zone.

    20. Set up a remote shell session of SSH with the Sophos Firewall via the elastic public IP and sign in using the admin username and password.


    21.  Select option 4. Device console.
Enter the following command (replacing the sections between <> with the details found in step IV): "system gre tunnel add name TGW01 local-gw PortB remote-gw <Transit Gateway GRE address> local-ip <Peer BGP address> remote-ip <Transit Gateway BGP 1 address>"

After the command is executed successfully, type exit to return to the main menu.

    22. Select option 3. Route Configuration, followed by 1. Configure Unicast Routing and 3. Configure BGP.

Enter the following commands to establish BGP neighbourship with Transit Gateway via GRE tunnel:

bgp> enable
bgp# configure terminal
bgp(config)# router bgp <This Firewall's ASN>
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> ebgp-multihop 2
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> activate
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> default-originate
bgp(config-router)# route-map secondary-firewall permit 10
bgp(config-route-map)# set as-path prepend <This Firewall's ASN> <This Firewall's ASN> <This Firewall's ASN> <This Firewall's ASN>
bgp(config-route-map)# exit

bgp(config-router)#address-family ipv4 unicast
bgp(config-router-af)#
neighbor <Transit Gateway BGP 1 IP> default-originate route-map secondary-firewall
bgp(config-router-af)#
neighbor <Transit Gateway BGP 1 IP> route-map primary-firewall out
bgp(config-router-af)#
exit-address-family
bgp(config-router-af)# exit
bgp(config-router)# exit
bgp(config)#write

    23.  Type exit to return to the previous configuration level. Repeat until you return to the main menu.
           Select Exit and repeat until the SSH session is closed.

    24.  To verify whether the BGP neighbourship is established, check the BGP summary by navigating to CONFIGURE > Routing > Information > BGP.

Similarly on the AWS Web console, it will show the status of BGP1 IP address as Up.

This completes the configuration of Sophos Firewall 02.

The Transit Gateway route table configured for the internal LAN VPC, will display the BGP IP address associated with the Primary firewall, which is a clear indication that all the traffic is indeed being routed via Primary Firewall only.

As soon as the primary firewall is down due to any reason, the BGP peering route priority will change for Transit Gateway and it will show BGP IP associated with Secondary Firewall as highlighted below to ensure that the failover of traffic happens to Secondary firewall successfully.

Caveats and additional information

AWS Network Load Balancer configuration

After deployment completes, the network load balancer used by the HA deployment will be configured to perform a health check on the firewall nodes using port TCP 4444.
Since this port is part of the management port range affected by the Trusted Network security group, health checks are expected to fail due to the load balancer not being a part of said trusted network range.


This is intentional as it avoids exposing the management ports or the load balancers to unintended traffic.

To make the AWS Network Load Balancer functional, we recommend modifying the existing health check to match the service port used by the content published on the firewall.

For example, if the WAF (Web Application Firewall) feature is used to accept traffic on port TCP 443, we recommend setting the load balancer's health checks to use the same port. This ensures that service delivery capabilities and health check status are aligned, automatically removing failed firewall nodes from service.

DNAT considerations for AA deployment

For the AA (Active-Active) scenario you will need to apply source NAT(MASQ) to inbound traffic for any DNAT rule that allows traffic from the WAN zone into the environment. This enables the TGW to route traffic back to the correct Sophos Firewall instead of balancing the request over all available nodes, preventing asymmetric routing.

DNAT rule can be created from Sophos Central Firewall group so that it will be automatically pushed to both the firewall nodes.
For the demonstration purposes, we will create a DNAT rule to open RDP port 3389 as follows:

    1. Login to your Sophos Central account and then navigate to My Products > Firewall management > Firewalls and you will see both the firewall nodes under the Ungrouped section

     2. Click on Create New Group button, enter the name of the firewall group, select Use Sophos default template, and then select both the firewall nodes from the Available Firewalls column and add it into the Assigned Firewalls column.

Ensure that Skip full sync tick mark is enabled for both the firewall nodes and hit the Save button.

 

     3. Now it will show both the firewall nodes placed under the new group. Click on the ellipsis icon at the right side of the group and click on Manage Policy.

  

  1. This will open a new web browser tab and show the group policy configuration page. Navigate to Hosts and Services > IP Host and click on Add button.


Create a new IP Host object with the Type selected as IP List and enter the private IP address of PortB of both the firewall nodes separated by ‘,’ and hit the Save button.

  1. Now navigate to Rules and policies > Firewall rules and click on Add Firewall Rule > New firewall rule option.


    Enter the name of the firewall rule, Rule Position as Top, Action as Accept, logging option enabled,
    Source zones as WAN, Source networks as Any,
    Destination zones as VPN, Destination networks as newly created IP host object, Services as RDP configured for Port 3389 and then hit the Save button.

     6. Navigate to Rules and policies > NAT rules and click on Add NAT rule > New NAT rule.



Enter the name of the NAT rule, Rule Position as Top, Action as Accept,
Original Source as Any, Original Destination as IP host object and Original service as RDP,
Translated Source as MASQ, Translated Destination as the actual private IP of RDP server and Translated service as Original,
Inbound interface and Outbound interface can be kept as Any and then hit the Save button.

With this configuration in place, both the firewalls will have one firewall rule and one NAT rule that will allow RDP traffic from internet to be forwarded to the TGW and the source IP of that traffic will be Source NATed with PortB private IP, to avoid asymmetric routing.

This concludes the Sophos Firewall Active-Passive deployment instructions in this document.

To use the security and scanning features of Sophos firewall, feel free to refer to online documentation repository available via following link:

https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/index.html

______________________________________________________________________________________________________________________________________



Old Please note that Support would not be provided for deployments using this guide via contacting and opening a case to Sophos Support.
[edited by: emmosophos at 10:53 PM (GMT -8) on 17 Dec 2024]
Parents
  • JVP nice document thanks.

    Some notes on how licensing in  the  Cloud and On premise for active/passive  differ,  would be a great addition. 
    It seems as if there  is little cost advantage to go active/passive , but perhaps that is not the case?

    A summary of how things differ from your similar active/active  document   would be a great addition.  There doesn't seem much difference and perhaps both could be merge to help with that comparison ?

Reply
  • JVP nice document thanks.

    Some notes on how licensing in  the  Cloud and On premise for active/passive  differ,  would be a great addition. 
    It seems as if there  is little cost advantage to go active/passive , but perhaps that is not the case?

    A summary of how things differ from your similar active/active  document   would be a great addition.  There doesn't seem much difference and perhaps both could be merge to help with that comparison ?

Children
No Data