Professional Documents
Culture Documents
FW7525 19.0v1 Basic Sophos Firewall Deployment On AWS
FW7525 19.0v1 Basic Sophos Firewall Deployment On AWS
FW7525 19.0v1 Basic Sophos Firewall Deployment On AWS
Deployment on AWS
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW7525: Basic Sophos Firewall Deployment on AWS
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
8 minutes
In this chapter you will learn how to deploy a Sophos Firewall on AWS.
Deploy Manage
Verify the
Sophos Internet
Routing
Firewall Ports
We will consider the deployment of Sophos Firewall on AWS as being in broadly three phases:
1. Deploying the Sophos Firewall from the AWS Marketplace, either through the AWS Console or
using CloudFormation
2. Configuring the necessary routing in AWS
3. And opening the required Internet ports in AWS
Deploy
Sophos
Firewall
We will start by looking at how to deploy a Sophos Firewall through the AWS portal.
Here we will be deploying using CloudFormation, as this is the standard method for deploying
Sophos Firewall on AWS.
https://training.sophos.com/fw/simulation/AWSDeploy/1/start.html
Let’s look at how all this works with a simulation. This simulation will guide you through deploying
a Sophos Firewall on AWS using CloudFormation.
[Additional Information]
https://training.sophos.com/fw/simulation/AWSDeploy/1/start.html
Sophos has created AWS CloudFormation templates that can be used to deploy Sophos Firewall on
AWS. These can be downloaded from Sophos’ GitHub repository.
[Additional Information]
• Browse to the Sophos github page
https://github.com/sophos-iaas/aws-cf-templates/tree/master/xg
• Select the relevant software version from the given list
• Click on standalone.template to view the AWS CloudFormation
You can download and customize the Sophos CloudFormation templates provided by Sophos
before using them.
To use the CloudFormation template, create a new CloudFormation stack and choose to upload a
template file.
[Additional Information]
https://console.aws.amazon.com/cloudformation/home
Verify the
Routing
By default, each VPC has a main route table that contains a route for the VPC’s address space, and
each subnet in the VPC has an association with this main route table.
Subnets will usually also have a route to the Internet that uses an AWS managed Internet gateway.
[Additional Information]
https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html
The CloudFormation template for deploying Sophos Firewall on AWS creates two subnets; a private
subnet for connecting to internal networks, and a public subnet that is Internet facing.
In the private subnet, a custom route is created in the route table that routes all Internet traffic to
the internal interface of Sophos Firewall.
VPC: Prod
Address space: 10.0.0.0/16
10.0.3.1
Fig: Route Table associated with public subnet
Destination Target Status SF
10.0.0.0/16 Local Active EC2 EC2 EC2 10.0.2.5
0.0.0.0/0 igw-1234567890 Active 10.0.0.0/24 10.0.1.0/24 10.0.2.0/24
In the public subnet, the route table sends Internet bound traffic to the AWS managed Internet
gateway.
1 4
We will now look at how you can verify that this routing is configured correctly in AWS.
You can also select the Subnet Associations tab to verify which CIDR the route table applies to.
Select the next route table, and on the Routes tab you will see that the Internet route targets igw-
<ID>. This is the AWS managed Internet gateway.
If you click on the Internet gateway link, this will open the Internet gateways page with the
selected gateway filtered. Notice that the Internet gateway is attached to the VPC where Sophos
Firewall is deployed.
You can also select the Subnet Associations tab to verify which CIDR the route table applies to.
Manage
Internet
Ports
Finally, you will need to open any required ports from the Internet to the firewall.
The CloudFormation template creates three security groups as part of the deployment;
SecurityGroupLAN, SecurityGroupTrusted, and SecurityGroupPublic.
SecurityGroupLAN is attached to the private internal interface of Sophos Firewall. This security
group is used to manage network access from the private networks inside AWS.
SecurityGroupTrusted is attached to the public external interface of Sophos Firewall. This security
group manages access to TCP ports 22 (SSH) and 4444 (WebAdmin). Use this security group to
enable remote management to Sophos Firewall from only the required networks and hosts. It
prevents everyone else from being able to reach the management ports.
SecurityGroupPublic is also attached to the public external interface of Sophos Firewall. This
security group manages access to all ports from the Internet, except TCP 22 and 4444.
Here is the default rule set for the Public security group. As you can see, all ports are open to the
Internet except for TCP 22 and 4444. We recommend restricting access to all ports except those
that need to be open to the Internet; for example, access to web servers through the web
application firewall, or VPNs.
The CloudFormation template creates two subnets; private, for connecting to internal
networks where all Internet traffic is routed to the internal interface of the firewall, and
public, that is Internet facing that routes Internet traffic to the AWS managed gateway
The CloudFormation template for deploying Sophos Firewall on AWS creates two subnets; a private
subnet for connecting to internal networks where all Internet traffic is routed to the internal
interface of the firewall, and a public subnet that is Internet facing that routes Internet traffic to
the AWS managed gateway.