Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended Read will help you to deploy the Sophos Firewall version 19 in AWS cloud with autoscaling feature enabled that facilitates the firewall EC2 instances to automatically scale up/down depending upon the load they are experiencing and the trigger events to support this activity. 

Sophos Central acts as a primary controller having the required configurations in place on the firewall group level itself and the firewall EC2 instances in AWS act as worker nodes that gets automatically provisioned, auto approved, and gets placed in the correct firewall group of the Sophos Central. 

Pre-requisites and important information

• You need an AWS account to deploy Sophos Firewall. 
• Sophos Firewall must be running on version 19.0 MR1 or above. 
• You need to create API Credentials from Sophos Central with the Service Principal Firewall role. 
• Firewall EC2 instance in autoscaling comes as single-arm deployment, which means it has only one functioning interface (PortB). 
• Only PAYG licensing is supported as of now. 
• It only supports inbound traffic flow use-cases like DNAT and WAF. 

Network diagram

A basic architectural diagram of the setup can be found below.

Note: The IP addresses used in this setup and document are for demo purpose. You may choose any IP subnet range and the values in autoscaling group parameters during the deployment.

Sophos Central for API credentials

Step 1.1 Sophos Central

Login to the Sophos central account by accessing the website central.sophos.com and entering the credentials and OTP.

Step 1.2 API Credentials Management

Navigate to Global Settings > Administration > API Credentials Management and click on Add credential button to create a new one.

Step 1.3 Credentials and Role

Enter an appropriate credentials name and select the Role as Service Principal Firewall and click the Add button.

Step 1.4 Client ID and Client Secret

Copy the values of Client ID and Client secret and save it in a text file. We will need these values in the other Lab sections.

AWS web console 

We will use the autoscaling template from AWS Marketplace subscription and it will be used to initiate the CloudFormation stack deployment of Sophos Firewall.

Note: Currently this new autoscaling functionality is supported only for Sophos Firewall PAYG pricing model.

Step 2.0 Key Pairs

You can skip to step 2.1, if you already have a key pair created in your AWS account.

Login to the AWS web console and search for EC2 service and once it is displayed in the results, click on it.
On the left side menu, navigate to Network & Security > Key pairs and click on Create key pair button.

Enter a name for the key, keep other parameters as-is and click on the Create key pair button to generate a new key pair.

Step 2.1 AWS Marketplace

From your AWS web console, search for AWS Marketplace, then go to Discover products section and search for Sophos PAYG. 

Step 2.2 Fulfillment Option

After subscribing to this PAYG model, under fulfillment option, select Sophos Auto Scaling Firewall for AWS with the required deployment region and then click on Continue to Launch button. 

Step 2.3 Launching Software

Select the Launch CloudFormation option from the drop-down list and then click on the Launch button. 

Step 2.4 Stack Creation

Now this will redirect you to the CloudFormation stack deployment page having the template file detected in the S3 URL section. Click on the Next button. 

CloudFormation stack

Now we will enter the details of CloudFormation stack and initiate the deployment of Sophos Firewall instances. 

Step 3.1 Specify Stack Details

After clicking on the Next button in step 2.4, you will be asked to enter information about the deployment. 

Enter a meaningful stack name for this CloudFormation stack, keep the AMI ID as autodetect and Instance size as m5.large. You may choose smaller instance size too, if needed. 

Step 3.2 Availability Zone

Select separate Availability Zones for each drop-down section, so that the firewall EC2 instances get deployed in both the Availability Zones.

If you wish to deploy the firewall instances in a new VPC, enter the first two octet of the VPC network subnet that is unused as Network Address Prefix and leave other subsequent parameters as blank.

Alternatively, if you wish to deploy the firewall EC2 instances in an existing VPC network, then along with the correct network prefix, you need to compulsorily enter the VPC ID, public subnet ID and private subnet ID.

Note: If you are using an existing subnet for your Sophos Firewalls then you must ensure it has the ‘Auto-assign public IPv4 address option enabled (Yes).

Step 3.3 Trusted Network

Check your public IP using www.whatismyip.com and then enter that public IP in Trusted Network CIDR with a /32. You must NOT enter 0.0.0.0/0 as it will open access to all the ports for the firewall over the internet.

Enter the following:

• Enter the Public Network CIDR as 0.0.0.0/0, as this will allow inbound traffic to the firewall instances from all the ports, except the management ports 22 and 4444.
• Name for your Sophos Firewall instances.
• Administrator password that is in line with the password policy and will be used by username admin for web console and CLI access.
• Also enter the Secure Storage Master Key (SSMK) that you would want to be used by the firewall to encrypt its data.

Step 3.4 Selecting Keypairs

Select the previously created Keypairs in step 2.0.

CloudWatch integration is supported now, so you can select yes for Use CloudWatch option and the firewall will start sending its logs to the CloudWatch for monitoring and storage purpose.

Enter the email ID and password of the Sophos Central account, so that the firewall instances get automatically registered without any manual intervention.

Step 3.5 Sophos Central Client ID

Paste the "Client ID" and "Client secret value" that was initially noted down in step 1.4.

Enter the name of the Central Firewall Group that will be automatically created in Sophos Central account.

Step 3.6 Auto Scaling Configuration

We will define the number of firewall EC2 instances needed in this autoscaling group.

If you need a minimum of two instances to be running all the time, then you can set the Minimum capacity value as 2.

In this example we have set this value as 2.

Starting capacity would be number of instances that will be deployed initially as a part of this deployment. So if the maximum instances are supposed to be 4, it is recommended to see the same value as the starting capacity, so that all these instances are deployed simultaneously and gets registered and added into firewall group instantly. In this example we set the value as 4.

Maximum capacity is the maximum number of firewall instances that would be a part of this autoscaling group, and we have set this value as 4.

Warm Pool Refresh Period is the number of days in which the instances that are in stopped state will go into running state, just to get synchronized with the Sophos Central and get the updated configuration synced from Firewall Group. Default value is 5 days.

For example, out of 4 instances, if 2 are running all the time, the other 2 instances will also come into the running state once in every 5 days, just to remain updated with the configuration done on the Firewall Group level and also to sync with Sophos Central.

Step 3.7  End User License Agreement

You can type yes (case-sensitive) to agree with its terms and conditions.

Select on option from the drop-down list for customer experience improvement program participation and click on the Next button.

Step 3.8 Tags

it is recommended to enter the Key as OwnerName and then type in your First and Last Name as its Value. This will help you to identify the owner of the resources in AWS account. You may also use the naming conventions of you organization as tags. 

Click on the Next button. 

Step 3.9 IAM Resources Submission

Scroll down and enable the tick mark for acknowledgement of IAM resources creation and then click the Submit button. 

This will start the deployment process and will take approximately 15 to 20 minutes. Once the deployment is completed you will see the status as CREATE_COMPLETE for your stack. At this stage you have successfully deployed the Sophos Firewall EC2 instances in autoscaling group.

After the deployment is completed successfully, login to your Sophos Central account and it will show the Firewall Group and 4 Firewall PAYG instances automatically placed in that group. 

Now we check the capacity values of Autoscaling group and rename the firewall EC2 instances for easy identification purposes. 

Step 4.1 AWS EC2

Login to the AWS web console and go to EC2 section.  

On the left menu, scroll down and click on Auto Scaling Groups and you will see a new autoscaling group created by the CloudFormation stack.  

Click on it and see the values of capacity in Group details. Click on the Edit button to modify those values and if you always want at least 2 EC2 instances (one from each AZ) to be up and running all the time, then set the Desired capacity and Minimum capacity value as 2 and click on Update button.

Step 4.2 Renaming Instances

On the same left menu, scroll up and click on Instances and you can see 4 Firewall EC2 instances with same name. So, click on the rename icon and make sure that you give some unique value in their names, so that you can identify each EC2 instances easily. 

DNAT use-case configuration

We will configure DNAT for RDP server in the Sophos Central firewall group, so that the same configuration is inherited by all the firewall EC2 instances.

Following is a high-level architectural diagram of the network setup that we have used as a reference to show the configuration steps:

Step 5.1 Firewall Management

Login to your Sophos Central account, go to Firewall Management > Firewalls and click on the three dots icon on the right side of the group name and click on Manage policy

Step 5.2 IP Host

Inside the group policy, navigate to SYSTEM > Hosts and Services > IP Host and create IP Range hosts (except the first IP x.x.x.1) for subnets of both the AZs, that belongs to PortB.

Also create an IP host object for internal RDP server IP address.

Step 5.3 Host & Services

Go to the Services section and create a new service for RDP port TCP 3389.

Step 5.4 Firewall Rules

On the left menu, scroll up and navigate to PROTECT > Rules and policies > Firewall rules and click on Add Firewall Rule button to create a new rule. 

Enter the firewall rule name, logging option enabled. 

• Select the Source zone as WAN,
• Source networks and devices as Any. 
• Destination zone as WAN, Destination networks as IP range hosts created in step 5.2 and Services as RDP created in step 5.3 
• Click on Save. 

Step 5.5 NAT Rules

Go to NAT rules > Add NAT rule and click on New NAT rule to create the DNAT rule for the RDP server.

• Select the Original source as Any, Original destination as the IP range hosts created in step 5.2 and Original Service as RDP created in step 5.3.
• Translated Source (SNAT) as MASQ, Translated Destination (DNAT) as the IP host object for RDP server internal IP created in step 5.2 and Translated service as Original.
• Keep the Inbound interface and Outbound interface as Any and click on Save.

Step 5.6 RDP Target Groups

In the AWS web console, go to EC2 > Load Balancing > Load Balancers and select Target Groups.

It will show 2 target groups auto created for port 80 and 443.

Click on Create target group and select the target type as Instances.

Enter the name of the Target group and select the Protocol and Port as TCP and 3389 respectively.

Select the correct VPC and click on Next.

Do NOT select any EC2 instances and click on Create target group.

Step 5.7 Auto Scaling Group

Now click on Auto Scaling Groups in the left menu and click on the name of the auto scaling group created for the firewall EC2 instance. 

In the Details tab, scroll down to Load balancing and click on Edit. 

Select the newly created RDP target group from the drop-down list and click on Update. 

 

Step 5.8 Load Balancer

Now click on Load balancers in the left menu and you will see the Load Balancer created for the autoscaling group of firewall EC2 instances. 

Select the Listeners tab and it will show TCP:80 and TCP:443 listeners auto created.  

Click on Add listener and select the Protocol as TCP and enter the Port number 3389. 

In the Default action, select the newly created Target group in step 5.6 and click on Add. 

This will add a new listener to network load balancer, which means that it will also start accepting RDP traffic initiated from outside and will forward it to the target groups (autoscaling group of firewall EC2 instances). 

At this stage you will have RDP port opened from AWS Network Load Balancer and to get access of this server, copy the DNS name of the Network Load balancer from the Description tab. 

Now you should be able to get RDP access of the internal server and the traffic will be served via one of the firewall EC2 instances. 

Additional information related to autoscaling deployment 

If you have enabled CloudWatch integration in step 3.4 during the CloudFormation deployment stage, then all the logs of Sophos Firewall EC2 instances will be stored in CloudWatch log groups of your AWS account and you can find them by searching for /sophos/xg/ in the CloudWatch > Log groups section.

Sometimes the firewall EC2 instances maybe terminated depending upon the autoscaling trigger policy to maintain the dynamic nature of the load.

In the Sophos Central account, you may still see the firewall instances placed in the group that are already terminated in AWS account and this will not be auto removed from Sophos Central Firewall group. So, you need to delete the firewall instances manually.

This concludes the Sophos Firewall autoscaling in AWS deployment instructions of this article.

For any queries related to this deployment, please contact aws.marketplace@sophos.com.

Updated Disclaimer
[edited by: Erick Jan at 2:21 PM (GMT -7) on 17 Apr 2023]