Skip to content

Amazon Web Services (AWS) FAQ

Do I need security solutions beyond what AWS provides?

AWS supports a shared responsibility model. While AWS actively manages the security of their cloud, you must manage and maintain the security of your applications and data in the AWS Cloud. For more information, see AWS Shared Responsibility.

Why use a third-party security solution when I can use AWS security groups or network Access Control Lists (ACLs) to protect my AWS workloads?

AWS security groups and network ACLs act as local firewalls for your hosts and VPC subnets. For more information, see Internetwork traffic privacy in Amazon VPC. As basic firewalls, they don't perform deep packet inspection to identify malware and intrusion attempts. They don't provide the granular control needed to protect user or application traffic. Sophos Firewall provides additional security features such as IPS, web filtering, web application firewall, VPN gateway, and Synchronized Security.

What is Sophos Synchronized Security?

When you deploy Sophos Intercept X advanced security agents and Sophos Firewall, you can guard against a compromised system becoming the entry for further malicious activity. Sophos Firewall prevents a compromised AWS EC2 instance with Intercept X Advanced from communicating with other AWS EC2 instances or sending traffic to the internet. For more information, see Sophos Synchronized Security.

How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premise or in local virtual environments?

Sophos Firewall on AWS offers the same features and benefits as Sophos Firewall running on-premises, but you can easily install and run it in the AWS Cloud. Currently, Sophos Firewall on AWS doesn't support high availability, and you must deploy it as a standalone appliance. Sophos Firewall on AWS also supports additional purchasing options, as described below.

Sophos Firewall on AWS licensing options

Sophos Firewall on AWS is available via the AWS Marketplace and can be purchased from a Sophos reseller or directly from the AWS Marketplace. Software licenses purchased from a Sophos reseller and used in AWS are referred to as Bring your own license (BYOL). If Sophos Firewall is purchased directly from the AWS Marketplace, it's referred to as Pay as you go (PAYG).

BYOL

You can purchase and use traditional term software licenses using the Sophos partner network. Sophos Firewall software licenses offer a variety of bundles, subscriptions, and support options. For more information, see XG licensing guide.

If you bring your own Sophos Firewall license for use in AWS, you don't pay AWS Marketplace software charges, but AWS still bills you for the EC2 instance used to run the Sophos Firewall software. For more information, see Sophos XG Firewall Standalone (BYOL). Sophos Firewall software licenses are available in various CPU and RAM combinations. You can map these to a supported EC2 instance as follows:

Supported EC2 instance types EC2 instance types CPU and RAM EC2 instance types network throughput Suggested Sophos Firewall license
t2.medium 2 vCPU 4 GB Memory Low to Moderate SFv2C4
m3.large 2 vCPU 7 GB Memory Moderate SFv2C4
m3.xlarge 4vCPU 15 GB Memory High SFv4C6
m3.2xlarge 8vCPU 30 GB Memory High SFv8C16
m4.large 2vCPU 8 GB Memory Moderate SFv2C4
m4.xlarge 4vCPU 16 GB Memory High SFv4C6
m4.2xlarge 8vCPU 32 GB Memory High SFv8C16
c3.xlarge 4vCPU 7.5 GB Memory Moderate SFv4C6
c3.2xlarge 8vCPU 15 GB Memory High SFv8C16
c3.4xlarge 16vCPU 30 GB Memory High SFv16C24
c3.8xlarge 32vCPU 60 GB Memory Very High (10 Gig Ethernet) SFvUNL
c4.large 2vCPU 3.75 GB Memory Moderate SFv2C4
c4.xlarge 4vCPU 7.5 GB Memory High SFv4C6
c4.2xlarge 8vCPU 15 GB Memory High SFv8C16
c4.4xlarge 16vCPU 30 GB Memory High SFv16C24
c4.8xlarge 36vCPU 60 GB Memory Very High (10 Gig Ethernet) SFvUNL
PAYG

If you don't want to purchase a traditional term license or want to purchase directly from AWS, you can use the Pay as you go licensing option. This method provides all Sophos Firewall functionality (FullGuard) for an additional hourly software charge, which is added together with the cost of the EC2 instance used to run Sophos Firewall. You'll see this additional charge on your monthly AWS bill. You can stop charges at any time by removing any Sophos Firewall instances from your AWS account. Sophos also supports the AWS Private offers program, which allows customers and partners to negotiate custom pricing and terms. Contact your Sophos sales representative for more information.

Note

The PAYG licensing option may not be available in your country. If the PAYG licensing option isn't available in your country, you can use the BYOL option.

Are Sophos Firewall free trials available for AWS?

Both the PAYG and BYOL licensing options allow for Sophos Firewall free trials. PAYG trials are provided directly from AWS Marketplace and are available for 30 days. After the first month, AWS automatically starts charging for any Sophos Firewall PAYG usage incurred. If you have a BYOL license, you can start a trial during the initial configuration or get a trial license from the Sophos free trial link.

Can I migrate my UTM license to Sophos Firewall?

You can convert your UTM production license into a Sophos Firewall license. For more information, see How to convert an SG appliance to an XG appliance with SFOS.

Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?

Sophos Firewall license transfers are only supported under certain circumstances. For more information, see License transfer.

Are there any prerequisites to deploy Sophos Firewall on AWS?

For both BYOL and PAYG Sophos Firewall on AWS deployments, you must first accept the AWS Marketplace software terms and subscribe to the software. You can do this from the Sophos Firewall on AWS listing pages.