Skip to content

Manually configure HA in Azure

You can deploy Sophos Firewall in HA mode as a virtual machine on Microsoft Azure. The deployment involves the following configurations:

  1. Azure portal configuration.
  2. Sophos Firewall web admin console configuration.
  3. Optionally, routing the LAN subnet traffic to the internet through Sophos Firewall.

Azure portal configuration

To deploy Sophos Firewall on Azure, do as follows:

  1. Sign in to the Azure portal (, and in the marketplace, click Create a resource under Azure services.

    Azure create a resource

  2. Search for Sophos Firewall and click it in the search results.

    HA Azure marketplace search result

  3. Click Create to proceed with the deployment.

    Azure create firewall

  4. Select the subscription associated with the Azure portal account.

    1. Resource group: You can select an existing resource group or click Create new to create a new one.
    2. Region: Select the region closest to you.
    3. VM Name: Enter a name for the firewall.
    4. Password / Confirm password: Enter the password used by the default admin (username "admin") to sign in to Sophos Firewall. Enter the password again and then click Next.

    Subscription details

  5. Under License Type, you can select either BYOL or PAYG for the Sophos Firewall instance.

    1. PAYG licensing enables consumption based hourly billing through the Azure Marketplace.
    2. BYOL licensing requires you to acquire a license from a Sophos reseller. Contact your Sophos account representative or email for more information.
    3. Virtual machine size: This is the size of the Sophos Firewall VM instance. The default size selected is 1x Standard F2s v2 (2 virtual CPUs, 4 GB memory) as it’s the minimum requirement for Sophos Firewall. You can change this size as per your requirement by clicking Change size.

    License details

  6. In the Virtual Network section, you can choose an existing virtual network or create a new one.

    • After clicking Create new, a pop-up window appears. Enter a name for the virtual network.
    • Address range: This is the IP address subnet of the entire virtual network and usually configured with a /16 CIDR.
    • In the Subnets section, you can enter a name for the LAN and WAN networks and assign an IP address range to the subnets from the virtual network IP address range. This is generally configured with a /24 CIDR.

    Virtual network details

  7. Click OK.

  8. Select the newly created subnets for the LAN subnet and WAN subnet of Sophos Firewall.

    Select LAN and WAN subnets

  9. For the Public IP name, you can either select an existing public IP, or create a new one.

    • After clicking Create new, a new pop-up window appears. Enter a name for the new public IP address, select the required SKU, select the IP assignment type as either Dynamic or Static, and click OK.

    Create public IP name

  10. Configure a unique domain name that you can use to access the web admin console and SSH console of the Sophos Firewall VM instance.

    Configure domain name

  11. In the Storage Account section, you can choose the existing storage account or create a new one.

    • After clicking Create new, a pop-up window appears. Enter a unique name for the storage account.
    • Account kind: Select a storage account from the list. The default selected option is Storage (general purpose v1).
    • Performance: You can either select Standard or Premium for the associated storage account.
    • Replication: To replicate the storage account, you can either select locally-redundant storage or geo-redundant storage. The default selected option is Locally-redundant(LRS).
    • Once you've selected these parameters, click OK and then click Next: Review + create.

    Create storage account

  12. After the validation check is successful, a summary of all the parameters associated with the Sophos Firewall instance is shown. After you review the summary, click Create to start the deployment of Sophos Firewall in your Azure portal account.

    Validation check

  13. The deployment process takes a few minutes. Once it’s successful, a confirmation message appears. Click Go to resource group to see the resources that have been deployed in your account along with the Sophos Firewall VM instance.

    Deployment successful

  14. Click the Sophos Firewall VM name to see its properties.

    View VM properties

  15. You can see the Public IP address and the DNS name associated with the Sophos Firewall VM instance. To copy the DNS name, click the copy icon.

    Copy DNS name

Sophos Firewall web admin console configuration

  1. Open a new browser window and access Sophos Firewall on HTTPS port 4444 with the DNS name. Example: https://<DNS name>:4444.

  2. Enter the username as admin and the password you set up in Azure for the firewall (step 4 of the previous procedure), and then click Login.

  3. Click I accept to accept the End-User License Agreement (EULA).

  4. If your license type is BYOL, you can either register your Sophos Firewall by entering its serial number, start a 30-day trial that automatically generates a serial number for the firewall, or migrate an existing UTM 9 license.

    • Select an appropriate option and click Continue.

    Register firewall

  5. You're redirected to the MySophos portal for the Sophos Firewall registration process wherein you can select the create Sophos ID option for a new account or select Sign In to use an existing account.

  6. Click Sign In.

    MySophos select sign in

  7. Enter the email ID and password of the existing MySophos account.

    Sign-in existing account

  8. Verify the captcha then click Continue.

    Verify Captcha

  9. You'll see the serial number and the Sophos Firewall model. Click Confirm Registration to initiate the license synchronization.

    Confirm registration

  10. Once the license synchronization process is completed, you'll see the modules for which you have subscriptions, and the expiry dates. Click Continue.

    Setup complete

This will finish the deployment and redirect you to the dashboard page of Sophos Firewall.

(Optional configuration) Routing the LAN subnet traffic to the internet via Sophos Firewall.


Before making the following changes, make sure you turn off the Sophos Firewall VM.

  1. In the Azure portal, go to the resource group where you've created the firewall and click PortA (the Sophos Firewall LAN interface). Go to Settings > IP Configurations and click ipconfig.

    Select IPconfig

  2. Select the Assignment type as Static and click Save.

    Select static

  3. In the Azure portal, search for Route table, select it, and click Add.

    Find route table

  4. For Subscription, select the one associated with your azure account.

    • For Resource group, select the one where you've created the firewall.
    • Select the associated Region and enter a name for the route table.

    Then click Review + Create.

    Create route table

  5. Once the validation check passes, click Create.

    Save route table

  6. Open the route table, go to Settings > Subnets, and click Associate.

    Associate subnets

  7. Select the Virtual network created in step six and select its associated LAN subnet and then click OK.

    Select LAN subnet

  8. In the same route table, go to Settings > Routes and click Add.

    Add route

  9. Enter a route name.

    • Keep the Address prefix as, which means the route will be applicable to any destination for traffic originating from the LAN network.
    • Select the Next hop type as virtual appliance.
    • Enter the static IP address (shown in step twenty-five) of PortA as the Next hop address and click OK.

    Route settings

    All traffic originating from the LAN subnet is now routed through PortA of Sophos Firewall.

Back to top