Amazon Web Services (AWS) FAQ

Do I need security solutions beyond what AWS provides?

AWS supports a shared responsibility model. While AWS actively manages the security of their cloud, you must manage and maintain the security of your applications and data in the AWS Cloud. For more information, see AWS Shared Responsibility.

Why use a third-party security solution when I can use AWS security groups or network Access Control Lists (ACLs) to protect my AWS workloads?

AWS security groups and network ACLs act as local firewalls for your hosts and VPC subnets. For more information, see Internetwork traffic privacy in Amazon VPC. As basic firewalls, they don't perform deep packet inspection to identify malware and intrusion attempts. They don't provide the granular control needed to protect user or application traffic. XG Firewall provides additional security features such as IPS, web filtering, web application firewall, VPN gateway, and Synchronized Security.

What is Sophos Synchronized Security?

When you deploy Sophos Intercept X advanced security agents and XG Firewall, you can guard against a compromised system becoming the entry for further malicious activity. XG Firewall prevents a compromised AWS EC2 instance with Intercept X Advanced from communicating with other AWS EC2 instances or sending traffic to the internet. For more information, see Sophos Synchronized Security.

How is XG Firewall on AWS different than the XG Firewall that can be run on-premise or in local virtual environments?

XG Firewall on AWS offers the same features and benefits as XG Firewall running on-premises, but you can easily install and run it in the AWS Cloud. Currently, XG Firewall on AWS doesn't support high availability and must be deployed as a standalone appliance. XG Firewall on AWS also supports additional purchasing options, as described below.

XG Firewall on AWS licensing options

XG Firewall on AWS is available via the AWS Marketplace and can be purchased from a Sophos reseller or directly from the AWS Marketplace. Software licenses purchased from a Sophos reseller and used in AWS are referred to as Bring your license (BYOL). When XG Firewall is purchased directly from the AWS Marketplace, it's referred to as Pay as you go (PAYG).

BYOL

You can purchase and use traditional term software licenses using the Sophos partner network. XG Firewall software licenses offer a variety of bundles, subscriptions, and support options. For more information, see XG licensing guide.

If you bring your own XG Firewall license for use in AWS, you don't pay AWS Marketplace software charges, but you're still billed by AWS for the EC2 instance used to run the XG Firewall software. For more information, see Sophos XG Firewall Standalone (BYOL). XG Firewall software licenses are provided in various CPU and RAM combinations, which can then be mapped to a supported EC2 instance, as shown below.

Table 1.

Supported EC2 instance types

EC2 instance types CPU and RAM

EC2 instance types network throughput

Suggested Sophos XG license

t2.medium

2 vCPU 4 GB Memory

Low to Moderate

SFv2C4

m3.large

2 vCPU 7 GB Memory

Moderate

SFv2C4

m3.xlarge

4vCPU 15 GB Memory

High

SFv4C6

m3.2xlarge

8vCPU 30 GB Memory

High

SFv8C16

m4.large

2vCPU 8 GB Memory

Moderate

SFv2C4

m4.xlarge

4vCPU 16 GB Memory

High

SFv4C6

m4.2xlarge

8vCPU 32 GB Memory

High

SFv8C16

c3.xlarge

4vCPU 7.5 GB Memory

Moderate

SFv4C6

c3.2xlarge

8vCPU 15 GB Memory

High

SFv8C16

c3.4xlarge

16vCPU 30 GB Memory

High

SFv16C24

c3.8xlarge

32vCPU 60 GB Memory

Very High (10 Gig Ethernet)

SFvUNL

c4.large

2vCPU 3.75 GB Memory

Moderate

SFv2C4

c4.xlarge

4vCPU 7.5 GB Memory

High

SFv4C6

c4.2xlarge

8vCPU 15 GB Memory

High

SFv8C16

c4.4xlarge

16vCPU 30 GB Memory

High

SFv16C24

c4.8xlarge

36vCPU 60 GB Memory

Very High (10 Gig Ethernet)

SFvUNL

PAYG

If you don't want to purchase a traditional term license or want to purchase directly from AWS, you can use the Pay as you go licensing option. This method provides all XG Firewall functionality (FullGuard) for an additional hourly software charge which is added together with the cost of the EC2 instance used to run XG Firewall. You'll see this additional charge on your monthly AWS bill. You can stop charges at any time by removing any XG Firewall instances from your AWS account. Sophos also supports the AWS Private offers program, which allows customers and partners to negotiate custom pricing and terms. Contact your Sophos sales representative for more information.

Are XG Firewall free trials available for AWS?

Both the PAYG and BYOL licensing options allow for XG Firewall free trials. PAYG trials are provided directly from AWS Marketplace and are available for 30 days. After the first month, AWS automatically starts charging for any XG PAYG usage incurred. If you have a BYOL license, you can start a trial during the initial configuration or get a trial license from the Sophos free trial link.

Can I migrate my UTM license to XG Firewall?

You can convert your UTM production license into an XG Firewall license. For more information, see How to convert an SG appliance to an XG appliance with SFOS.

Can I use an existing XG Firewall license for a new XG Firewall on AWS?

XG Firewall license transfers are only supported under certain circumstances. For more information, see License transfer.

Are there any prerequisites to deploy XG Firewall on AWS?

For both BYOL and PAYG XG on AWS deployments, you must first accept the AWS Marketplace software terms and subscribe to the software. You can do this from the XG Firewall on AWS listing pages.