Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
Also check out Sophos Firewall HA (Active-Passive) deployment with Amazon Transit Gateway (TGW) in AWS!
In this document, we'll be talking about how to deploy the Sophos firewall in Fault Tolerance a.k.a. AA (Active-Active) mode on the AWS platform. We will be using the Amazon transit gateway (TGW) feature to support the Hub and Spoke model for this deployment.
The transit gateway is used to facilitate node redundancy for the Sophos Firewalls and BGP is used to communicate the routing information with the rest of the AWS infrastructure in the customer account.
If you are interested and want to know more about this technology, check out the Amazon's documentation on Transit gateway: https://aws.amazon.com/transit-gateway/
Sophos Firewall is available from the AWS marketplace for both High Availability and Fault Tolerance methods of deployment, however in this document we will be focusing on Fault Tolerance (AA) deployment method.
It is recommended to deploy the Sophos Firewall nodes in a separate VPC for the traffic management and routing purposes.
While it is certainly possible to deploy the firewalls into the same VPC as other backend workloads, it will require different instructions for the TGW attachment and route table creation. Hence feel free to contact your Sophos account representative if your setup requires a single VPC deployment.
Here is the network diagram that we are considering for this deployment. Both the Sophos firewall instances will be deployed in a separate VPC, having connectivity with the LAN network VPC via the transit gateway.Note: The IP addresses used in this setup and document are for demo purpose. You can always use other IP addresses in your deployment scenario.
Repeat the above sub-steps for each additional attachment you wish to propagate to the Sophos Firewall via TGW.
Please follow the steps mentioned in the following article or watch the how-to video of registration and basic setup to complete this process: KBA: https://support.sophos.com/support/s/article/KB-000035575?language=en_USHow-to video:https://techvids.sophos.com/watch/uBDMZovVKXTykv3rQjxCsp
system gre tunnel add name TGW01 local-gw PortB remote-gw <Transit Gateway GRE address> local-ip <Peer BGP address> remote-ip <Transit Gateway BGP 1 address>
bgp# configure terminal
bgp(config)# router bgp <This Firewall's ASN>
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> ebgp-multihop 2
bgp(config-router)# neighbor <Transit Gateway BGP 1 IP> activate
After deployment completes, the network load balancer used by the AA deployment will be configured to perform a health check on the firewall nodes using port TCP 4444.Since this port is part of the management port range affected by the Trusted Network security group, health checks are expected to fail due to the load balancer not being a part of said trusted network range.
This is intentional as it avoids exposing the management ports or the load balancers to unintended traffic.
In order to make the AWS Network Load Balancer functional, we recommend modifying the existing health check to match the service port used by the content published on the firewall.
For example, if the WAF (Web Application Firewall) feature is being used to accept traffic on port TCP 443, we recommend setting the load balancer's health checks to use the same port. This ensures service delivery capabilities and health check status are aligned, making sure that failed firewall nodes are removed from service automatically.
For the AA (Active-Active) scenario you will need to apply source NAT to inbound traffic for any DNAT rule that allows traffic from the WAN zone into the environment. To enable this, we’ll need to set up a unique IP for each firewall – this enables the TGW to route traffic back to the correct Sophos Firewall instead of balancing the request over all available nodes, preventing asymmetric routing.
To create DNAT (port forwarding) rule, please feel free to refer the following document link:https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/CreatingDNATRuleWebServer.html
The last step is to create a network object with a unique IP to use on any inbound DNAT rule for Source NAT purposes.
As also mentioned in the introduction discussing the models, east-west traffic requires additional provisions - similar to the DNAT considerations discussed above.
This is needed as the TGW uses the state-unaware BGP Equal Cost Multi-Pathing (ECMP) algorithm to distribute traffic over the available firewall nodes, which could cause asynchronous routing scenarios in which return traffic can't be guaranteed to return to the firewall node that processed the outgoing traffic, resulting in broken TCP sessions.
Since most companies do not want to apply source NAT (or any NAT for that matter) on traffic flowing between internal sources, you will need to enable BGP path prepending on the Sophos firewall 02 node to raise its path cost.
This causes the TGW to no longer populate both firewall nodes as viable next-hop targets into the propagated route tables, preferring to only populate the one with the lowest path cost, which ultimately enables the firewall nodes to act as an Active-Active pair for inbound and outbound north-south traffic, while operating like an active-passive HA setup for east-west traffic.
The steps involved are as follows:
This concludes the Sophos Firewall AA deployment instructions in this document.
To use the security and scanning features of Sophos firewall, feel free to refer to online documentation repository available via following link: https://www.sophos.com/en-us/support/documentation/sophos-xg-firewall.aspx