Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 5059 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Deploy into an existing virtual network on Azure

DominicRemigio

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table of Contents

Overview

This article describes how to deploy the Sophos Firewall into an existing virtual network on Microsoft Azure. The procedure will use the Sophos published ARM template on github.

 

Product and Environment
Sophos Firewall on Azure Marketplace


Prerequisite

  • The address space of the virtual network must be pre-created.
  • The front-end and back-end subnets must be pre-created.

Information needed before the deployment

  • The name of the existing resource group that you will like to deploy the Sophos Firewall into.
  • The following information about the existing vNet that you want to deploy the Sophos Firewall into: resource group, address space, front-end subnet name, front-end subnet prefix, back-end subnet name, and back-end subnet prefix.
  • The following information about the existing storage account: resource group, name, type.

Deployment

  1. Sign in to the Azure portal.

    https://portal.azure.com

  2. Browse to the Sophos github page.

    https://github.com/sophos-iaas/Sophos-azure

  3. In the README.md section, click on Deploy to Azure. This will automatically open the template deployment on Azure.
  4. In the custom template deployment, fill in the deployment as follows:
     
    Parameter Value
    Subscription Select the subscription that you want this resource to be associated with.
    Resource Group Select Use existing (select the resource group).
    _artifacts Location This is automatically filled in based on the resource group that was selected.
    _artifacts Location Sas Token Leave empty. The sasToken required to access _artifactsLocation. When the template is deployed using the accompanying scripts, a sasToken will be automatically generated. Use the defaultValue if the staging location is not secured.
    Vm Name Configure a VM name according to your naming convention E.g. do-sophosSophos.
    Admin Password Enter a complex password (make a note of this password as it will be needed for the initial logon).
    Image Sku Select BYOL if you're using a license that you bought from a Sophos partner or from Sophos. Select PAYG if you'll be paying for the license as part of your Azure charges.
    Vm Size Enter the Azure VM size that you want - https://docs.microsoft.com/en-in/azure/virtual-machines/windows/sizes-general (The size must support a minimum of 2 NICs) E.g. Standard_F2s
    Net New Or Existing Select existing to deploy into an existing vNet.
    Net RG The resource group of the existing virtual network.
    Net Name The name of the existing virtual network.
    Net Prefix The "address space" of the existing virtual network.
    Wan Name The name of the existing front-end subnet.
    Wan Prefix The CIDR range of the existing front-end subnet.
    Lan Name The name of the existing back-end subnet.
    Lan Prefix The CIDR range of the existing back-end subnet.
    Public Ip New Or Existing New
    Public Ip RG The resource group of the new public IP resource (typically the same resource group as above).
    Public Ip Name The name of the public IP resource.
    Public Ip DNS The DNS name record that will be created in a Microsoft-owned DNS zone. This must be something unique across the entire DNS zone (recommended to add random numbers to guarantee uniqueness).
    Publlic Ip Type Dynamic
    Storage New or Existing Existing
    Storage RG The resource group that contains the storage account.
    Storage Name The name of the storage account where the virtual machine disk will be stored.
    Storage Type Standard or Premium; LRS, ZRS, GRS, RA-GRS E.g. Standard_LRS
    Nic Wan The name of the front-end NIC of the Sophos Firewall.
    Nic Lan The name of the back-end NIC of the Sophos Firewall.
    Network Security Group New Or Existing New
    Network Security Group Name The name of the network security group that will be associated with the front-end NIC of the Sophos Firewall.
    Trusted Network The host or CIDR network range that should have administrative access to the Sophos Firewall (use * for any).
    Availability Set New Or Existing New
    Availability Set Name The name of the availability set that the Sophos Firewall will be deployed in.
    Location Leave as it is.


  5. Click Review + Create.
  6. Once the validation passed, click Create.

Note: After the deployment has been completed, you will still need to ensure that the "custom route tables" and "network security groups" are properly configured for traffic flow to work as required. Refer to this document for more information: Sophos Firewall: Reference architecture on Azure with dual NIC.

Related information

Sophos Firewall: Quick Start Guide on Microsoft Azure

______________________________________________________________________________________________________________________________________



Added TAG
[edited by: Erick Jan at 1:17 AM (GMT -8) on 14 Nov 2024]
Unfiltered HTML