Basic Sophos Firewall

Deployment on AWS

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW7525: Basic Sophos Firewall Deployment on AWS

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Basic Sophos Firewall Deployment on AWS - 1

 Basic Sophos Firewall Deployment on AWS
In this chapter you will learn how
to deploy a Sophos Firewall on
AWS.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ Deploying Sophos Firewall
✓ How Sophos Firewall can be used to improve the
security of cloud deployments

DURATION

8 minutes

In this chapter you will learn how to deploy a Sophos Firewall on AWS.

Basic Sophos Firewall Deployment on AWS - 2

 Deployment

Deploy Manage
Verify the
Sophos Internet
Routing
Firewall Ports

We will consider the deployment of Sophos Firewall on AWS as being in broadly three phases:
1. Deploying the Sophos Firewall from the AWS Marketplace, either through the AWS Console or
using CloudFormation
2. Configuring the necessary routing in AWS
3. And opening the required Internet ports in AWS

Basic Sophos Firewall Deployment on AWS - 3

 Deploy Sophos Firewall

Deploy
Sophos
Firewall

We will start by looking at how to deploy a Sophos Firewall through the AWS portal.

Basic Sophos Firewall Deployment on AWS - 4

 Sophos Firewall AWS Deployment Overview

Search for Sophos Connect to the

Obtain the public IP
Firewall in the AWS Complete the necessary WebAdmin and
address of the Sophos
Marketplace and select parameters complete the initial
Firewall
to deploy it configuration

This is a relatively simple process that consists of:

• Searching for Sophos Firewall in the AWS Marketplace and selecting to deploy it
• Completing the necessary parameters for the deployment, this includes:
• License type – bring-your-own or pay-as-you-go
• Virtual machine size
• Subnets
• IP and hostname
• And storage
• Once the Sophos Firewall is deployed, you will need to obtain the public IP address from the
AWS portal
• Login to the WebAdmin to complete the initial configuration of the Sophos Firewall

Here we will be deploying using CloudFormation, as this is the standard method for deploying
Sophos Firewall on AWS.

Basic Sophos Firewall Deployment on AWS - 5

 Deploy a Sophos Firewall on AWS

In this simulation you will deploy a

Sophos Firewall on AWS using
CloudFormation.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AWSDeploy/1/start.html

Let’s look at how all this works with a simulation. This simulation will guide you through deploying
a Sophos Firewall on AWS using CloudFormation.

Launch the activity by clicking the button on screen now.

[Additional Information]
https://training.sophos.com/fw/simulation/AWSDeploy/1/start.html

Basic Sophos Firewall Deployment on AWS - 6

 Additional
Sophos Firewall CloudFormation Templates information in
the notes

• AWS CloudFormation (CFT) templates are available from our GitHub

repository
o https://github.com/sophos-iaas/aws-cf-templates/tree/master/xg

Sophos has created AWS CloudFormation templates that can be used to deploy Sophos Firewall on
AWS. These can be downloaded from Sophos’ GitHub repository.

[Additional Information]
• Browse to the Sophos github page
https://github.com/sophos-iaas/aws-cf-templates/tree/master/xg
• Select the relevant software version from the given list
• Click on standalone.template to view the AWS CloudFormation

You can download and customize the Sophos CloudFormation templates provided by Sophos
before using them.

Basic Sophos Firewall Deployment on AWS - 7

 Additional
Sophos Firewall CloudFormation Templates information in
the notes

• Upload the template when creating a new CloudFormation stack

To use the CloudFormation template, create a new CloudFormation stack and choose to upload a
template file.

[Additional Information]
https://console.aws.amazon.com/cloudformation/home

Basic Sophos Firewall Deployment on AWS - 8

 Verify Routing in AWS

Verify the
Routing

Next, verify the routing.

Basic Sophos Firewall Deployment on AWS - 9

 Additional information in
Default Routing the notes

• The VPCs main route table has a

route for the whole VPC address
space
Internet Gateway
• Subnets have an association to the
main route table
VPC: Prod
• Subnets usually have a route to the Address space: 10.0.0.0/16
Internet using an AWS managed
Internet gateway
Fig: Main Route Table
Destination Target Status 10.0.0.1 10.0.1.1
10.0.0.0/16 Local Active

Fig: Subnet Route Table

Destination Target Status
EC2 EC2 EC2
10.0.0.0/16 Local Active
10.0.0.0/24 10.0.1.0/24
0.0.0.0/0 igw-1234567890 Active

By default, each VPC has a main route table that contains a route for the VPC’s address space, and
each subnet in the VPC has an association with this main route table.

Subnets will usually also have a route to the Internet that uses an AWS managed Internet gateway.

[Additional Information]
https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html

Basic Sophos Firewall Deployment on AWS - 10

 Private Subnet Routing
• Two subnets are created
• Private for LAN
• Public for WAN
• A route is created in private subnet
route table for Internet traffic to the VPC: Prod
Sophos Firewall LAN interface Address space: 10.0.0.0/16

10.0.0.1 10.0.1.1 10.0.2.1

Fig: Route Table associated with private subnet
Destination Target Status
10.0.0.0/16 local Active SF
0.0.0.0/0 eni-987654321 Active EC2 EC2 EC2 10.0.2.5
10.0.0.0/24 10.0.1.0/24 10.0.2.0/24

The CloudFormation template for deploying Sophos Firewall on AWS creates two subnets; a private
subnet for connecting to internal networks, and a public subnet that is Internet facing.

In the private subnet, a custom route is created in the route table that routes all Internet traffic to
the internal interface of Sophos Firewall.

Basic Sophos Firewall Deployment on AWS - 11

 Public Subnet Routing
• In the public subnet, the route table
sends Internet bound traffic to the
AWS managed Internet gateway. Internet Gateway

VPC: Prod
Address space: 10.0.0.0/16

10.0.0.1 10.0.1.1 10.0.2.1

10.0.3.1
Fig: Route Table associated with public subnet
Destination Target Status SF
10.0.0.0/16 Local Active EC2 EC2 EC2 10.0.2.5
0.0.0.0/0 igw-1234567890 Active 10.0.0.0/24 10.0.1.0/24 10.0.2.0/24

In the public subnet, the route table sends Internet bound traffic to the AWS managed Internet
gateway.

Basic Sophos Firewall Deployment on AWS - 12

 Verify the Route Table Attached to the Private Subnet
2

1 4

We will now look at how you can verify that this routing is configured correctly in AWS.

1. In AWS navigate to VPC and select Route Tables on the left

2. Filter the route tables using the VPC ID, name, or tag
3. Select a route table
4. Select the Routes tab
5. The route Internet route (0.0.0.0/0) that targets the eni interface is directing traffic to the
Sophos Firewall. If you click on the link, you can see the network interface it is associated with,
and in the description, you should see ‘ENI for Private Subnet’

Basic Sophos Firewall Deployment on AWS - 13

 Verify the Route Table Attached to the Private Subnet

You can also select the Subnet Associations tab to verify which CIDR the route table applies to.

Basic Sophos Firewall Deployment on AWS - 14

 Verify the Route Table Attached to the Public Subnet

Select the next route table, and on the Routes tab you will see that the Internet route targets igw-
<ID>. This is the AWS managed Internet gateway.

If you click on the Internet gateway link, this will open the Internet gateways page with the
selected gateway filtered. Notice that the Internet gateway is attached to the VPC where Sophos
Firewall is deployed.

Basic Sophos Firewall Deployment on AWS - 15

 Verify the Route Table Attached to the Public Subnet

You can also select the Subnet Associations tab to verify which CIDR the route table applies to.

With these settings reviewed you have verified the routing.

Basic Sophos Firewall Deployment on AWS - 16

 Manage Internet Ports in AWS

Manage
Internet
Ports

Finally, you will need to open any required ports from the Internet to the firewall.

Basic Sophos Firewall Deployment on AWS - 17

 EC2 > Network & Security > Security Groups
Security Groups in AWS

Manages network access

from the Internet

Manages network access

from private networks

Manages remote access

ports on the WAN

The CloudFormation template creates three security groups as part of the deployment;
SecurityGroupLAN, SecurityGroupTrusted, and SecurityGroupPublic.

SecurityGroupLAN is attached to the private internal interface of Sophos Firewall. This security
group is used to manage network access from the private networks inside AWS.

SecurityGroupTrusted is attached to the public external interface of Sophos Firewall. This security
group manages access to TCP ports 22 (SSH) and 4444 (WebAdmin). Use this security group to
enable remote management to Sophos Firewall from only the required networks and hosts. It
prevents everyone else from being able to reach the management ports.

SecurityGroupPublic is also attached to the public external interface of Sophos Firewall. This
security group manages access to all ports from the Internet, except TCP 22 and 4444.

Basic Sophos Firewall Deployment on AWS - 18

 Restrict Traffic on Public Interface

To restrict or modify inbound traffic on the public interface:

• Navigate to EC2 > Network & Security >Security Groups
• Filter on the stack name
• Select the security group with the name containing SecurityGroupPublic
• Select the Inbound rules tab
• Click Edit inbound rules

Basic Sophos Firewall Deployment on AWS - 19

 Manage Internet Ports in AWS

Here is the default rule set for the Public security group. As you can see, all ports are open to the
Internet except for TCP 22 and 4444. We recommend restricting access to all ports except those
that need to be open to the Internet; for example, access to web servers through the web
application firewall, or VPNs.

Basic Sophos Firewall Deployment on AWS - 20

 Chapter Review

The CloudFormation template creates two subnets; private, for connecting to internal
networks where all Internet traffic is routed to the internal interface of the firewall, and
public, that is Internet facing that routes Internet traffic to the AWS managed gateway

The CloudFormation template creates three security groups; SecurityGroupLAN,

SecurityGroupTrusted, and SecurityGroupPublic. SecurityGroupLAN is attached to the
private interface to manage network access from the internal networks

SecurityGroupTrusted and SecurityGroupPublic are attached to the public interface of

Sophos Firewall. SecurityGroupTrusted manages access to TCP ports 22 (SSH) and 4444
(WebAdmin) for remote management. SecurityGroupPublic is for all other ports

Here are the main things you learned in this chapter.

The CloudFormation template for deploying Sophos Firewall on AWS creates two subnets; a private
subnet for connecting to internal networks where all Internet traffic is routed to the internal
interface of the firewall, and a public subnet that is Internet facing that routes Internet traffic to
the AWS managed gateway.

The CloudFormation template creates three security groups; SecurityGroupLAN,

SecurityGroupTrusted, and SecurityGroupPublic. SecurityGroupLAN is attached to the private
interface of Sophos Firewall to manage network access from the internal networks.

SecurityGroupTrusted and SecurityGroupPublic are attached to the public external interface of

Sophos Firewall. SecurityGroupTrusted manages access to TCP ports 22 (SSH) and 4444
(WebAdmin) for remote management. SecurityGroupPublic is for all other ports.

Basic Sophos Firewall Deployment on AWS - 23

Basic Sophos Firewall Deployment on AWS - 24