Amazon Web Services (AWS) FAQ
Do I need security solutions beyond what AWS provides?
AWS supports a shared responsibility model. While AWS actively manages the security of their cloud, you must manage and maintain the security of your applications and data in the AWS Cloud. For more information, see AWS Shared Responsibility.
Why use a third-party security solution when I can use AWS security groups or network Access Control Lists (ACLs) to protect my AWS workloads?
AWS security groups and network ACLs act as local firewalls for your hosts and VPC subnets. For more information, see Internetwork traffic privacy in Amazon VPC. As basic firewalls, they don't perform deep packet inspection to identify malware and intrusion attempts. They don't provide the granular control needed to protect user or application traffic. Sophos Firewall provides additional security features such as IPS, web filtering, web application firewall, VPN gateway, and Synchronized Security.
What is Sophos Synchronized Security?
When you deploy Sophos Intercept X advanced security agents and Sophos Firewall, you can guard against a compromised system becoming the entry for further malicious activity. Sophos Firewall prevents a compromised AWS EC2 instance with Intercept X Advanced from communicating with other AWS EC2 instances or sending traffic to the internet. For more information, see Sophos Synchronized Security.
How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premise or in local virtual environments?
Sophos Firewall on AWS offers the same features and benefits as Sophos Firewall running on-premises, but you can easily install and run it in the AWS Cloud. Currently, Sophos Firewall on AWS doesn't support high availability, and you must deploy it as a standalone appliance. Sophos Firewall on AWS also supports additional purchasing options, as described below.
Sophos Firewall on AWS licensing options
Sophos Firewall on AWS is available via the AWS Marketplace and can be purchased from a Sophos reseller or directly from the AWS Marketplace. Software licenses purchased from a Sophos reseller and used in AWS are referred to as Bring your own license (BYOL). If Sophos Firewall is purchased directly from the AWS Marketplace, it's referred to as Pay as you go (PAYG).
You can purchase and use traditional term software licenses using the Sophos partner network. Sophos Firewall software licenses offer a variety of bundles, subscriptions, and support options. For more information, see XG licensing guide.
If you bring your own Sophos Firewall license for use in AWS, you don't pay AWS Marketplace software charges, but AWS still bills you for the EC2 instance used to run the Sophos Firewall software. For more information, see Sophos XG Firewall Standalone (BYOL). Sophos Firewall software licenses are available in various CPU and RAM combinations. You can map these to a supported EC2 instance as follows:
|Supported EC2 instance types||EC2 instance types CPU and RAM||EC2 instance types network throughput||Suggested Sophos XG Firewall license|
|t2.medium||2 vCPU 4 GB Memory||Low to Moderate||SFv2C4|
|m3.large||2 vCPU 7 GB Memory||Moderate||SFv2C4|
|m3.xlarge||4vCPU 15 GB Memory||High||SFv4C6|
|m3.2xlarge||8vCPU 30 GB Memory||High||SFv8C16|
|m4.large||2vCPU 8 GB Memory||Moderate||SFv2C4|
|m4.xlarge||4vCPU 16 GB Memory||High||SFv4C6|
|m4.2xlarge||8vCPU 32 GB Memory||High||SFv8C16|
|c3.xlarge||4vCPU 7.5 GB Memory||Moderate||SFv4C6|
|c3.2xlarge||8vCPU 15 GB Memory||High||SFv8C16|
|c3.4xlarge||16vCPU 30 GB Memory||High||SFv16C24|
|c3.8xlarge||32vCPU 60 GB Memory||Very High (10 Gig Ethernet)||SFvUNL|
|c4.large||2vCPU 3.75 GB Memory||Moderate||SFv2C4|
|c4.xlarge||4vCPU 7.5 GB Memory||High||SFv4C6|
|c4.2xlarge||8vCPU 15 GB Memory||High||SFv8C16|
|c4.4xlarge||16vCPU 30 GB Memory||High||SFv16C24|
|c4.8xlarge||36vCPU 60 GB Memory||Very High (10 Gig Ethernet)||SFvUNL|
If you don't want to purchase a traditional term license or want to purchase directly from AWS, you can use the Pay as you go licensing option. This method provides all Sophos Firewall functionality (FullGuard) for an additional hourly software charge, which is added together with the cost of the EC2 instance used to run Sophos Firewall. You'll see this additional charge on your monthly AWS bill. You can stop charges at any time by removing any Sophos Firewall instances from your AWS account. Sophos also supports the AWS Private offers program, which allows customers and partners to negotiate custom pricing and terms. Contact your Sophos sales representative for more information.
The PAYG licensing option may not be available in your country. If the PAYG licensing option isn't available in your country, you can use the BYOL option.
Are Sophos Firewall free trials available for AWS?
Both the PAYG and BYOL licensing options allow for Sophos Firewall free trials. PAYG trials are provided directly from AWS Marketplace and are available for 30 days. After the first month, AWS automatically starts charging for any XG PAYG usage incurred. If you have a BYOL license, you can start a trial during the initial configuration or get a trial license from the Sophos free trial link.
Can I migrate my UTM license to Sophos Firewall?
You can convert your UTM production license into a Sophos Firewall license. For more information, see How to convert an SG appliance to an XG appliance with SFOS.
Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?
Sophos Firewall license transfers are only supported under certain circumstances. For more information, see License transfer.
Are there any prerequisites to deploy Sophos Firewall on AWS?
For both BYOL and PAYG XG on AWS deployments, you must first accept the AWS Marketplace software terms and subscribe to the software. You can do this from the Sophos Firewall on AWS listing pages.