Skip to content

How to deploy Sophos Firewall on Amazon Web Services (AWS)

Sophos Firewall runs as a virtualized security appliance on an Amazon EC2 instance and deploys inline into an Amazon Virtual Private Cloud (VPC) to scan inbound and outbound traffic.

This information is provided as-is without any guarantees. If you require assistance with your specific AWS environment, contact Sophos Professional Services.

  1. Go to the Sophos AWS Marketplace Product page and choose the listing you want to use.

    Sophos Firewall is available for standalone deployment using both the BYOL and PAYG licensing methods. Free trial options are available for both license types.

    Sophos AWS Marketplace Product page.

  2. To subscribe to the software terms, click Continue to Subscribe.

    AWS subscription page.

  3. Click Continue to Configuration.

    AWS subscription confirmation page.

  4. Choose your configuration options. Under Fulfillment Option, select CloudFormation Template.

    Choose fulfillment option.

  5. Select your AWS region.

    Select AWS region.

  6. Click Launch, which redirects you to the AWS CloudFormation console.

    Launch the software.

  7. On the Create stack page, click Next.

    A CloudFormation template simplifies the process of deploying Sophos Firewall into an AWS account.

    As shown in the following screenshot, the AWS Marketplace listing page redirects you to the AWS CloudFormation console and starts a stack creation in your region of choice.

    On the AWS CloudFormation console, create a stack.

  8. On the Specify stack details page, enter a Stack name.

    If you want to use an existing Virtual Private Cloud (VPC), don't change the default parameters. If you want to create a new VPC, accept or change the default parameters for AMI ID, EC2 Instance size, Public Subnet Availability Zone, and Network Prefix.

    Specify stack name.

  9. Enter the required parameters such as the trusted network CIDR used to manage Sophos Firewall, select the pricing option you want to use (BYOL or PAYG), and enter the SSH key used for shell access to Sophos Firewall.

  10. If you're deploying into an existing VPC, enter the VPC ID, an existing public subnet ID, an existing private subnet ID, and choose to have the template create a new Elastic IP (EIP) address or utilize an existing available EIP address.

  11. Click Next.

    Specify stack parameters.

  12. Click Next and then click Create Stack.

    Stack creation typically takes from five to ten minutes. When stack creation is complete, the status changes to CREATE_COMPLETE. The Outputs tab shows the EIP address assigned to the Sophos Firewall. After stack creation, the EC2 instance may need additional time to complete startup before it's ready. You can see the status of the EC2 instance in the EC2 console. You can see details about the EC2 instance, including its physical ID, under the Resources tab.

    Stack creation is complete.

  13. When the EC2 instance is running, copy the assigned public IP address and use both HTTPS and the web admin port to begin initial configuration: https://PublicIPAddress:4444.

    By default, Sophos Firewall uses a locally-signed certificate so that your browser shows a warning message. Once you go past the certificate warning, you see the Welcome to Sophos Firewall page.

  14. Click Click to begin at the bottom of the screen.

    Welcome to Sophos Firewall page.

    You're then prompted to perform basic configuration.

  15. Set a password for the default admin account used to sign in to the Sophos Firewall.

    Basic Sophos Firewall configuration.

  16. Configure a firewall name and choose the time zone.

    Add an Sophos Firewall name and time zone.

  17. Do one of the followng to register your Sophos Firewall:

    • Enter an existing Sophos Firewall serial number.
    • Start a 30-day trial (which automatically generates a Sophos Firewall serial number).
    • Migrate an existing UTM 9 license.

    Register your Sophos Firewall.

    You're redirected to the Sophos Firewall licensing portal if you start a trial, where a new serial number is generated.

    Sophos Firewall licensing portal welcome page.

    1. When complete, click Confirm Registration and Evaluation license.

      Confirm license on Sophos Firewall licensing portal.

    2. Click Initiate License Synchronization.

      License registration successful.

      Once the basic setup is complete, the license details are shown.

  18. Do one of the following:

    • If you want to configure advanced settings, click Continue.
    • Otherwise, click Skip to finish.

    Basic Sophos Firewall setup complete.


By default, only management access (web admin console and SSH access) is turned on for a firewall running in AWS. You must use AWS security group rules to allow access to the firewall from different locations or to access other firewall services, such as SSL VPN, IPsec, RED, user portal, or WAF. For example, to establish a RED tunnel with a firewall in AWS, add port 3410 to the AWS security group.

More resources