This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forum for HA and Autoscaling UTM deployments @ AWS?

I feel like it would be beneficial to have a separate sub-forum specifically for discussing UTM deployments in the AWS environment.  Particularly for those of us working on getting the HA and/or Autoscaling implementations to work properly.  While the webpage here: www.sophos.com/aws seems to suggest that AWS integration is a widely used and perfectly tuned feature of the UTM, those of us who have been tinkering around with it know that Sophos still has a ways to go in ramping up their own internal expertise and supporting documentation for this use-case.    All the more reason for easy channels for collaboration among the community.

At the very least, I'd love to hear from anyone else out there who's currently working with the HA implementation.  I'm alternately impressed and frustrated with it thus far :)  but I think it could be a truly amazing product with a bit more fine tuning-- and I think strong community involvement is going to be the driving force to make that happen.  



This thread was automatically locked due to age.
Parents
  • hi, any update on this ? im interested in this feature on AWS.

     

    thanks

    P.

  • I've been trying this for few weeks as well.  

     

    Apparently, the firmware upgrade within UTM does not do anything for HA/Autoscaling.  It's basically UTM software patch(eg. Windows security patch vs Windows Service Pack).  What has to happen is that you have to download entirely new AMI version(9.4x) from AWS marketplace and reconfigure the new instance from scratch.  or use backup to reload your configurations.  Which it kind of sucks because, it requires more work than just simple upgrade.  

     

    Sophos is really behind on their contents on this matter.  Their template is pointing to the wrong AMI version(9.3x) so you have to manually change that first and their instructions is wrong as well.  

  • Hi lprikockis

     

    Good news. We can reproduce your problem. Thanks a lot for the confd.log.

    You are running a "Auto Scaling" ami (image name starts with something like axg9400_aws-asg-9.406)?

    The conversion feature is only supported for our standalone ami.

    So try to launch one of those:

    https://aws.amazon.com/marketplace/pp/B00DJDRZB2

    And the error message should be gone (instead you will get the message saying there is no update path yet).

    If you reach that step, please PM me and I will give you instructions on how to use the conversion as a beta user.

     

    Thanks a lot for your help, and discovering this bug

  • Hmmm... I'm not sure what AMI it is since all I get from AWS is:   "Cannot load details for ami-3ec9a957. You may not be permitted to view it."

    However, this particular instance was first launched in December 2014, so I doubt it was the auto-scaling AMI as that didn't exist at the time.

    When I have a moment, I'll try launching a standalone instance in a test VPC and confirm that I get the appropriate message.

     

    I seems like what this is pointing to is the fact that folks with older versions that have been upgraded to the latest firmware without a completely new relaunch from a recent AMI may not be able to use this "automated" conversion path.   So if I need to launch an entirely new instance, shouldn't there be some way to just launch the HA version in my current VPC and then load the saved configuration?    It seems a little weird to have to create a "new" standalone AMI UTM just for the purpose of "automatically" converting it to the HA version.

  • Can you provide us the output of 'version' in bash?

     

    The idea of conversion is to convert single instances into HA or Auto Scaling setups. In your case you already have a Auto Scaling setup (probably spawned without CloudFormation and only one instance), so there is no need to use the conversion right there.

  • loginuser@qcpfw:/home/login > version

    Current software version...: 9.407003
    Hardware type..............: Software Appliance
    Installation image.........: 9.000-8.1
    Installation type..........: asg
    Installed pattern version..: 111918
    Downloaded pattern version.: 111918
    Up2Dates applied...........: 59 (see below)
    sys-9.000-9.001-8.18.1.tgz (Mar 6 2013)
    sys-9.001-9.002-18.12.1.tgz (Mar 6 2013)
    sys-9.002-9.003-12.15.1.tgz (Mar 6 2013)
    sys-9.003-9.003-15.16.4.tgz (Mar 6 2013)
    sys-9.003-9.004-15.33.1.tgz (Mar 7 2013)
    sys-9.004-9.004-33.34.1.tgz (Mar 25 2013)
    sys-9.004-9.005-29.15.2.tgz (Mar 25 2013)
    sys-9.005-9.005-15.16.1.tgz (Mar 25 2013)
    sys-9.005-9.006-15.5.2.tgz (Apr 5 2013)
    sys-9.006-9.100-5.16.1.tgz (May 13 2013)
    sys-9.100-9.101-16.12.1.tgz (Jun 13 2013)
    sys-9.101-9.102-11.8.2.tgz (Aug 9 2013)
    sys-9.102-9.103-8.5.2.tgz (Aug 19 2013)
    sys-9.103-9.104-5.17.2.tgz (Aug 19 2013)
    sys-9.104-9.105-17.9.1.tgz (Sep 3 2013)
    sys-9.105-9.106-9.17.1.tgz (Nov 4 2013)
    sys-9.106-9.107-17.33.2.tgz (Mar 9 2014)
    sys-9.107-9.108-33.23.2.tgz (Mar 9 2014)
    sys-9.108-9.109-23.1.2.tgz (Mar 9 2014)
    sys-9.109-9.110-1.22.1.tgz (Apr 10 2014)
    sys-9.110-9.111-22.7.1.tgz (Apr 10 2014)
    sys-9.111-9.111-7.11.1.tgz (May 28 2014)
    sys-9.111-9.112-7.12.1.tgz (Jun 26 2014)
    sys-9.112-9.113-12.1.2.tgz (Jun 26 2014)
    sys-9.113-9.203-1.3.1.tgz (Aug 7 2014)
    sys-9.203-9.204-3.20.1.tgz (Aug 7 2014)
    sys-9.204-9.205-20.12.1.tgz (Dec 17 2014)
    sys-9.205-9.206-12.35.1.tgz (Dec 17 2014)
    sys-9.206-9.207-35.19.2.tgz (Dec 17 2014)
    sys-9.207-9.208-19.8.5.tgz (Dec 17 2014)
    sys-9.208-9.209-8.8.1.tgz (Dec 17 2014)
    sys-9.209-9.210-8.20.1.tgz (Dec 17 2014)
    sys-9.210-9.304-20.9.2.tgz (Dec 18 2014)
    sys-9.304-9.305-9.4.1.tgz (Dec 18 2014)
    sys-9.305-9.306-4.6.1.tgz (Feb 5 2016)
    sys-9.306-9.307-6.6.1.tgz (Feb 5 2016)
    sys-9.307-9.308-6.16.2.tgz (Feb 6 2016)
    sys-9.308-9.309-16.3.1.tgz (Feb 6 2016)
    sys-9.309-9.310-3.11.1.tgz (Feb 6 2016)
    sys-9.310-9.311-11.3.1.tgz (Feb 6 2016)
    sys-9.311-9.312-3.8.1.tgz (Feb 6 2016)
    sys-9.312-9.313-8.3.1.tgz (Feb 6 2016)
    sys-9.313-9.314-3.13.1.tgz (Feb 6 2016)
    sys-9.314-9.315-13.2.1.tgz (Feb 6 2016)
    sys-9.315-9.316-2.4.1.tgz (Feb 6 2016)
    sys-9.316-9.317-4.5.1.tgz (Feb 6 2016)
    sys-9.317-9.318-5.5.2.tgz (Feb 6 2016)
    sys-9.318-9.350-5.12.1.tgz (Feb 6 2016)
    sys-9.350-9.351-12.3.2.tgz (Feb 6 2016)
    sys-9.351-9.352-3.6.2.tgz (Feb 6 2016)
    sys-9.352-9.353-6.4.1.tgz (Feb 6 2016)
    sys-9.353-9.354-4.4.1.tgz (Apr 7 2016)
    sys-9.354-9.355-4.1.1.tgz (Apr 7 2016)
    sys-9.355-9.356-1.3.1.tgz (Oct 25 03:03)
    sys-9.356-9.357-3.1.4.tgz (Oct 25 03:04)
    sys-9.357-9.404-1.5.3.tgz (Oct 25 03:09)
    sys-9.404-9.405-5.5.1.tgz (Oct 25 03:11)
    sys-9.405-9.406-5.3.1.tgz (Oct 25 03:12)
    sys-9.406-9.407-3.3.1.tgz (Oct 25 03:15)
    Up2Dates available.........: 0
    Factory resets.............: 0
    Timewarps detected.........: 0

  • Thanks. I tried to reproduce your problem but for me everything works.

     

    The update path you went through looks valid.

     

    Did you do any modification to the machine like doing file manipulation in bash or manual patching?

     

  • Good news:

    We have identified the problem (basically there is no valid update path for the conversion feature with pretty old versions as yours).

    We are working on a fix and will release it with 9.408.

  • Good news:

    We have identified the problem (basically there is no valid upgrade path for the conversion feature with pretty old install versions as yours).

    We fixed this and it will be released with 9.408.

    So all you will have to do, as soon as 9.408 is release, is to upgrade and the conversion feature should work as intended for you.

    Thanks for finding and reporting this issue.

  • great... nothing like being "punished" again for being an early adopter of the UTM @ AWS :(  

    Glad to hear there's finally a fix coming though.  Better late than never I suppose.

  • I just upgraded to version Firmware version: 9.408-4  Pattern version:112573

         
     
         
      There is currently no migration path available for your version. A migration path will likely be made available soon. Try again in a few days

     

    I have a single AWS Sophos UTM installed in one VPC the above error is what I get when trying to click

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Unfortunately our new AMIs and templates are not published by Amazon yet.

     

    But this is in progress and should be finished in the next days.

     

    I will dig for some a release date with our product management.

     

    Apologizes for the confusion, with the release of this feature.

Reply Children
  • Sebastian, Thanks for the update,

     

    Please advise are you saying the current AMI i'm using will have to be shutdown and a new AMI will have to be lunched that will support the Auto HA warm setup feature? If that is the case How soon are the New AMI's going to be released this is critical because my company in the next two weeks wants to finalize the AWS firewall purchase.

     

    I would love to use Sophos But I cant without proper "Warm" HA fail-over. Can you give us all on this Blog a better time line and eta ?

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Anyupdate on the timeline for the New AWS Sophos utm  AMI I and I think the rest of the customers that need HA would like to see a date of the next AWS EC2 AMI availability and time line, I have production items I cant move into aws because my Firewall is not in an HA mode and I cant convert it. Really need time line thank you

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi Vitale.

    We released the AMIs and the template today :)

    So if you have a 9.408 running, or update to 9.408, you should now be able to start the conversion process.

    Any feedback is highly appreciated.

    Please let us know how it works for you.

    BTW, if you want to have a look on the templates, see the utm/conversion subfolder of our github:

    https://github.com/sophos-iaas/aws-cf-templates

  • Thank you for the update I'm running the latest AMI from amazon market place see screen shot below the version it says was  Updated: 11/17/16 but when I run the migration wizard it says its not able to migrate please wait a few days.

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Thank you for the update I'm running the latest AMI from amazon market place see screen shot below the version it says was  Updated: 11/17/16 but when I run the migration wizard it says its not able to migrate please wait a few days.

     

     

     

     

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi Vitale,

    Over the weekend, AWS published our latest UTM 9.408 release, which had a fix for the conversion utility. However, this morning our dev team confirmed certain scenarios where the conversion utility may convert PAYG AMIs to BYOL AMIs. Based on that, we pulled the conversion templates to prevent any customers from unintentionally converting over to BYOL. We're working on a fix and will update the forum once it goes live. Apologies for any inconveniences. Release notes are pasted below for reference.

    Thanks.

    community.sophos.com/.../sophos-utm-9-408-on-aws-release-notes

  • Do you know the time line and the Aws markets place AMI number that will be released in the upcoming days ?

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com

  • Hi guys

     

    Interesting reading. In the same situation here also. Unable to build a warm standby instance. Assume by reading this it is known about and we can expect something soon, tho a little concerning for an enterprise product what has happend in this thread. Not to worry, I do have faith in this, and believe once stable it will be a great product.

    Please update us once you have an ETA of a finished product as such. I am assuming that the EIP can be moved between each instance (between primary and standby) if an instance fails - could someone please confirm that. And what would you recommend in terms of placing these instances in a cluster across 2 Availability Zones, or building a cluster in each AZ ? 

    Thanks

  • Hi Zak,

    Thanks for looking at the UTM on AWS and appreciate you reaching out. Note that the most recent comments are around a new feature we've put in place that allows a customer to go from an already deployed stand alone/single UTM instance, to either a High Availability or Auto Scaling cluster of UTM's. You can currently simply use the existing CloudFormation template to install a new VPC and the HA pair of UTM's as discussed in the below linked KB which also has the CFT links. Also below is a link to our Github repo that we're populating with new CFT's and info, and also a link to our Auto Scaling Guide in case you have any questions about that. Let us know if you have anymore questions or need assistance with anything.

    I am assuming that the EIP can be moved between each instance (between primary and standby) if an instance fails - could someone please confirm that. Confirmed. The EIP is assigned to the active UTM instance and will be migrated to the passive UTM as part of the failover process. 

    And what would you recommend in terms of placing these instances in a cluster across 2 Availability Zones, or building a cluster in each AZ ? The linked CFT will deploy the UTM's into different Availability Zones per AWS Best Practice guidance. The UTM's also are monitored by AWS services such as CloudWatch and part of an Auto Scaling group, so if there is an issue with their health or the AZ, they'll be recreated automatically. The KB has some more info on the design.

    High Availability KB

    https://community.sophos.com/kb/hu-hu/122202

    Github repo

    https://github.com/sophos-iaas/aws-cf-templates

    UTM on AWS Auto Scaling Guide

    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosUTMAWS.pdf

    Bill

     

  • Zak,

     

    Bill is correct in the above statement. This thread is specifically to address and understand how long current customers on the latest Sophos UTM 9  version 9.408-4  on a AWS with a live production VPC environment have to wait before the  HA deployment feature within the GUI works. This thread is for sophos to report on ETA's report current firmware that address the issue and  issues with HA configurations, I would visit other threads that already answer and address concerns of EIP's and how they move between AWS AZ's.

     

     

     

     

     

    Thank You

     

    Vitale Mazo

     

     

    Vitale Mazo | Senior Systems Engineer
    Novus Partners Inc | 200 Park Avenue, 27th Floor  | New York, NY 10166
    212.586.3030 Ext. 1093 | Cell: 718-790-1150 | Vmazo@novus.com