[XG on Azure] How to Deploy the Sophos XG Firewall on Microsoft Azure using Powershell (Imperative method)

Well done David. Compliment. I am sure more than one user will use your script. Sophos should create a proper KB and include your script.

Thanks !!

Hi David,

Many thanks for putting these videos and resources together.  They have helped me tremendously!!

Could you add another scenario to your list for the future?  I'd love to see you deploy an Azure Load Balancer with multiple pubilc IP's in front of the XG and how that setup would be deployed/work.

Thanks,

John

Is there support for using managed disks yet? Or is it only supported using blob storage?

Yes managed disks are supported. The Sophos provided template in the Sophos GitHub account can be modified to use managed disks rather than un-managed ones. If you need help with this, here's a sample template that I created that deploys the Sophos XG firewall to Azure using managed disks and premium storage! - https://raw.githubusercontent.com/iaasteamtemplates/XgOnAzurePOC/master/sophos-xg-managed-disk.json

You can deploy this via the Azure portal or using powershell with a parameters file.

DavidOkeyode said:

Yes managed disks are supported. The Sophos provided template in the Sophos GitHub account can be modified to use managed disks rather than un-managed ones. If you need help with this, here's a sample template that I created that deploys the Sophos XG firewall to Azure using managed disks and premium storage! - https://raw.githubusercontent.com/iaasteamtemplates/XgOnAzurePOC/master/sophos-xg-managed-disk.json

 

You can deploy this via the Azure portal or using powershell with a parameters file.

 

Is there anyway I you can help me with Powershell script? I tried to modify your existing script to convert from blob to managed disks but I can't seem to get it to work.

When using the Parameters file, it errors on me saying I can't use more than 2 NIC interfaces even though the Standard_F4 supports up to 4 NICs. I want to have a 3rd one for DMZ.

Any help would be appreciated!

Sent you a DM :)

I've tried multiple deployments and cannot get Managed Disks to work at all.

Logging in fails almost 50% of the time. I cannot do firmware upgrades unless I click 'upload file' and perform it manually which also fails several times before finally working.

Every time I test with vhds (original deployment) it works no problems.

Somewhere during provisioning, my guess is it's looking to install some files in the storage container location and not the managed disks.

Hi Mark,

I've also done this deployment (using the ARM template that I sent to you above) multiple times and not ran into the issues that you described. Could it be because the disk size was modified (I noticed now that you're using a custom disk size). Can you try creating with just the default from the image. I'm also still awaiting your email address in the DM that I sent. I'm at the Microsoft Ignite conference all week so can only send you a Zoom call invite for mid-next week (if I get your email).

Thanks.

DavidOkeyode said:

Hi Mark,

I've also done this deployment (using the ARM template that I sent to you above) multiple times and not ran into the issues that you described. Could it be because the disk size was modified (I noticed now that you're using a custom disk size). Can you try creating with just the default from the image. I'm also still awaiting your email address in the DM that I sent. I'm at the Microsoft Ignite conference all week so can only send you a Zoom call invite for mid-next week (if I get your email).

Thanks.

 

 

I've DM'ed you my phone last week. Please let me know if you received it.

The tests I've done this week are using the 4GB OS and using the default data disk size. Still not able to get it working.

However, after upgrading to MR-7 manually after several failed attempts, I am able to at least configure the network settings. Unfortunately, trying to get HA working in Azure doesn't seem possible as the VM fails to restart due to networking issues. My guess has something to do with XG requiring static IP's for LAN and DMZ (HA) zones and Azure saying not to use static IP's in the guest OS but only configuring static IP's on the network interface itself and leaving DHCP enabled on the guest OS.

2017/09/27 14:30:11.609132 INFO Retry=0, GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:21.624704 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:21.625060 INFO Retry=1, GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:31.393440 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:31.393713 INFO Retry=0, POST http://168.63.129.16/machine?comp=telemetrydata
2017/09/27 14:30:31.640554 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:31.640796 ERROR Event: name=WALA, op=, message=(000008)(000009)HTTP Err: GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:41.408913 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:41.409293 INFO Retry=1, POST http://168.63.129.16/machine?comp=telemetrydata
2017/09/27 14:3:51.424936 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:51.425322 ERROR (000008)Failed to send events:(000009)HTTP Err: POST http://168.63.129.16/machine?comp=telemetrydata