[XG on Azure] How to Deploy the Sophos XG Firewall on Microsoft Azure using Powershell (Imperative method)

Is there support for using managed disks yet? Or is it only supported using blob storage?

Yes managed disks are supported. The Sophos provided template in the Sophos GitHub account can be modified to use managed disks rather than un-managed ones. If you need help with this, here's a sample template that I created that deploys the Sophos XG firewall to Azure using managed disks and premium storage! - https://raw.githubusercontent.com/iaasteamtemplates/XgOnAzurePOC/master/sophos-xg-managed-disk.json

You can deploy this via the Azure portal or using powershell with a parameters file.

DavidOkeyode said:

Yes managed disks are supported. The Sophos provided template in the Sophos GitHub account can be modified to use managed disks rather than un-managed ones. If you need help with this, here's a sample template that I created that deploys the Sophos XG firewall to Azure using managed disks and premium storage! - https://raw.githubusercontent.com/iaasteamtemplates/XgOnAzurePOC/master/sophos-xg-managed-disk.json

 

You can deploy this via the Azure portal or using powershell with a parameters file.

 

Is there anyway I you can help me with Powershell script? I tried to modify your existing script to convert from blob to managed disks but I can't seem to get it to work.

When using the Parameters file, it errors on me saying I can't use more than 2 NIC interfaces even though the Standard_F4 supports up to 4 NICs. I want to have a 3rd one for DMZ.

Any help would be appreciated!

Sent you a DM :)

I've tried multiple deployments and cannot get Managed Disks to work at all.

Logging in fails almost 50% of the time. I cannot do firmware upgrades unless I click 'upload file' and perform it manually which also fails several times before finally working.

Every time I test with vhds (original deployment) it works no problems.

Somewhere during provisioning, my guess is it's looking to install some files in the storage container location and not the managed disks.

Hi Mark,

I've also done this deployment (using the ARM template that I sent to you above) multiple times and not ran into the issues that you described. Could it be because the disk size was modified (I noticed now that you're using a custom disk size). Can you try creating with just the default from the image. I'm also still awaiting your email address in the DM that I sent. I'm at the Microsoft Ignite conference all week so can only send you a Zoom call invite for mid-next week (if I get your email).

Thanks.

Hi Mark,

I've also done this deployment (using the ARM template that I sent to you above) multiple times and not ran into the issues that you described. Could it be because the disk size was modified (I noticed now that you're using a custom disk size). Can you try creating with just the default from the image. I'm also still awaiting your email address in the DM that I sent. I'm at the Microsoft Ignite conference all week so can only send you a Zoom call invite for mid-next week (if I get your email).

Thanks.

DavidOkeyode said:

Hi Mark,

I've also done this deployment (using the ARM template that I sent to you above) multiple times and not ran into the issues that you described. Could it be because the disk size was modified (I noticed now that you're using a custom disk size). Can you try creating with just the default from the image. I'm also still awaiting your email address in the DM that I sent. I'm at the Microsoft Ignite conference all week so can only send you a Zoom call invite for mid-next week (if I get your email).

Thanks.

 

 

I've DM'ed you my phone last week. Please let me know if you received it.

The tests I've done this week are using the 4GB OS and using the default data disk size. Still not able to get it working.

However, after upgrading to MR-7 manually after several failed attempts, I am able to at least configure the network settings. Unfortunately, trying to get HA working in Azure doesn't seem possible as the VM fails to restart due to networking issues. My guess has something to do with XG requiring static IP's for LAN and DMZ (HA) zones and Azure saying not to use static IP's in the guest OS but only configuring static IP's on the network interface itself and leaving DHCP enabled on the guest OS.

2017/09/27 14:30:11.609132 INFO Retry=0, GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:21.624704 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:21.625060 INFO Retry=1, GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:31.393440 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:31.393713 INFO Retry=0, POST http://168.63.129.16/machine?comp=telemetrydata
2017/09/27 14:30:31.640554 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:31.640796 ERROR Event: name=WALA, op=, message=(000008)(000009)HTTP Err: GET http://168.63.129.16/machine/?comp=goalstate
2017/09/27 14:30:41.408913 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:41.409293 INFO Retry=1, POST http://168.63.129.16/machine?comp=telemetrydata
2017/09/27 14:3:51.424936 WARNING Socket IOError [Errno 101] Network is unreachable, args:(101, 'Network is unreachable')
2017/09/27 14:30:51.425322 ERROR (000008)Failed to send events:(000009)HTTP Err: POST http://168.63.129.16/machine?comp=telemetrydata

Hi Mark,

HA in a cloud environment like Azure is different from HA in an OnPrem environment. HA in Azure is achieved using Azure services like Load-Balancer, Sophos solutions like SFM and iView. The default HA will not work in an Azure environment as multicast is not allowed in Azure and the XG HA uses multicast - docs.microsoft.com/.../virtual-networks-faq

Let's discuss your architecture and options when we have the call.

Thanks.

DavidOkeyode said:

Hi Mark,

HA in a cloud environment like Azure is different from HA in an OnPrem environment. HA in Azure is achieved using Azure services like Load-Balancer, Sophos solutions like SFM and iView. The default HA will not work in an Azure environment as multicast is not allowed in Azure and the XG HA uses multicast - docs.microsoft.com/.../virtual-networks-faq

Let's discuss your architecture and options when we have the call.

Thanks.

 

That makes sense. I had a load balancer in front but I can see after reading more into it that the traditional HA is not supported.

Also at the Ignite conference I'm attending, Microsoft announced new changes to the way that HA and DR will be structured on Azure going forward :) Our Sophos solutions covers these scenarios also:

https://azure.microsoft.com/en-us/blog/introducing-azure-availability-zones-for-resiliency-and-high-availability/

azure.microsoft.com/.../

DavidOkeyode said:

Also at the Ignite conference I'm attending, Microsoft announced new changes to the way that HA and DR will be structured on Azure going forward :) Our Sophos solutions covers these scenarios also:

https://azure.microsoft.com/en-us/blog/introducing-azure-availability-zones-for-resiliency-and-high-availability/

azure.microsoft.com/.../

 

Wow, this is exciting