How to deploy XG Firewall on Amazon Web Services (AWS)

XG Firewall is provided as a virtualized security appliance that runs on an Amazon EC2 instance and deploys inline into an Amazon Virtual Private Cloud (VPC) to scan traffic entering and leaving.

This information is provided as-is without any guarantees. If you require assistance with your specific AWS environment, contact Sophos Professional Services.

  1. Go to the Sophos AWS Marketplace Product page and choose which listing you want to use.

    XG Firewall is available for standalone deployment using both the BYOL and PAYG licensing methods. Free trial options are available for both license types.


    Sophos AWS Marketplace Product page
  2. To subscribe to the software terms, click Continue to Subscribe.

    AWS subscription page
  3. Then click Continue to Configuration.

    AWS subscription confirmation page
  4. Choose your configuration options. Under Fulfillment Option, select the CloudFormation Template.

    Choose fulfillment option
  5. Select your AWS region.

    Select AWS region
  6. Click Launch, which will redirect you to the AWS CloudFormation console.

    Launch the software
  7. On the Create stack page, click Next.

    A CloudFormation template is used to simplify the process of deploying XG Firewall into an AWS account. The AWS Marketplace listing page redirects to the AWS CloudFormation console and starts a stack creation in your region of choice, as shown below.


    On the AWS CloudFormation console create a stack
  8. On the Specify stack details page, enter a Stack name.

    If you want to use an existing Virtual Private Cloud (VPC), leave the default parameters. If you want to create a new VPC, accept or change the default parameters for AMI ID, EC2 Instance size, Public Subnet Availability Zone, and Network Prefix.


    Specify stack name
  9. Enter the required parameters such as the trusted network CIDR used to manage XG Firewall, select the pricing option you wish to use (BYOL or PAYG), and enter the SSH key used for shell access to XG Firewall.
  10. If deploying into an existing VPC, enter the VPC ID, an existing public subnet ID, an existing private subnet ID, and choose to have the template create a new Elastic IP (EIP) or utilize an existing available EIP.
  11. Once all information is entered, click Next to continue.

    Specify stack parameters
  12. Click Next and then click Create Stack.

    Stack creation normally takes from five to ten minutes. When stack creation is complete, the status changes to CREATE_COMPLETE, as shown below. The Outputs tab shows the EIP assigned to the XG Firewall. After stack creation, the EC2 instance may need additional time to complete startup before it's ready. You can see the status of the EC2 instance in the EC2 Console. You can see details about the EC2 instance, including its physical ID under the Resources tab.


    Stack creation is complete
  13. When the EC2 Instance is running, copy the assigned Public IP and use both https and the web admin port to begin initial configuration: https://PublicIPAddress:4444.

    By default, XG Firewall uses a self-signed certificate so your browser will show a warning message. Once you go past the certificate warning, you see the Welcome to Sophos XG Firewall page.

  14. Click Click to begin at the bottom of the screen.

    Welcome to Sophos XG Firewall page

    You're then prompted to perform basic configuration.

  15. Set a password for the default admin account used to sign in to the XG Firewall.

    Basic XG configuration
  16. Configure a firewall name and choose the time zone.

    Add an XG name and time zone
  17. Register your XG Firewall by taking one of the following actions:
    • Enter an existing XG Firewall serial number.
    • Start a 30-day trial (which will automatically generate an XG Firewall serial number).
    • Migrate an existing UTM 9 license.

    Register your XG

    If you start a trial, you're redirected to the Sophos XG licensing portal, where a new serial number is generated.


    XG licensing portal welcome page
    1. When complete, click Confirm Registration and Evaluation license.

      Confirm license on XG licensing portal
    2. Click Initiate License Synchronization.

      License registration successful

      Once the basic setup is complete, the license details are shown.

  18. If you want to configure advanced settings, click Continue. For AWS deployments, you only need to click Skip to finish.

    Basic XG setup complete