Manually configure load-balancing on Azure
You can deploy and load-balance Sophos Firewall as a virtual machine on Microsoft Azure. The deployment involves the following steps:
- Configure the Azure portal.
- Configure Sophos Firewall.
- (Optional) Route the LAN subnet traffic to the internet through Sophos Firewall.
Azure portal configuration
To deploy Sophos Firewall on Azure, do as follows:
-
Sign in to the Azure portal (https://portal.azure.com), and in the marketplace, click Create a resource under Azure services.
-
Search for Sophos Firewall and select it.
-
Click Create to proceed with the deployment.
-
Select the subscription associated with the Azure portal account.
- Resource group: You can select an existing resource group or click Create new to create a new one.
- Region: Select the region closest to you.
- VM Name: Enter a name for the firewall.
- Password / Confirm password: Enter the password used by the default admin (username "admin") to sign in to Sophos Firewall. Enter the password again and click Next.
-
Under License Type, select one of the following:
- PAYG: Enables consumption based on hourly billing through the Azure Marketplace.
- BYOL: Requires you to acquire a license from a Sophos reseller. Contact your Sophos account representative or email
publiccloud@sophos.com
for more information.
-
Select the Virtual machine size. This is the size of the Sophos Firewall VM instance. The default size selected is 1x Standard F2s v2 (2 virtual CPUs, 4 GB memory) because it’s the minimum requirement for Sophos Firewall. Click Change size to change this as per your requirement.
-
In the Virtual Network section, you can choose an existing virtual network or create a new one.
If you click Create new, a pop-up window appears. Do as follows:
- Enter a Name for the network.
- Enter an Address range. This is the IP address subnet of the entire virtual network and usually configured with a /16 CIDR.
-
In the Subnets section, you can enter a name for the LAN and WAN networks and assign an IP address range to the subnets from the virtual network IP address range. This is generally configured with a /24 CIDR.
-
Click OK.
-
Select the newly created subnets for the LAN subnet and WAN subnet of Sophos Firewall.
-
For the Public IP name, you can either select an existing public IP, or create a new one.
If you click Create new, a pop-up window appears. Do as follows:
-
Configure a unique domain name that you can use to access the web admin console and SSH console of the Sophos Firewall VM instance.
-
In the Storage Account section, you can choose the existing storage account or create a new one.
If you click Create new, a pop-up window appears. Do as follows:
- Enter a unique name for the account.
- Under Account kind, select an account from the list. The default selected option is Storage (general purpose v1).
- Under Performance, you can either select Standard or Premium for the associated account.
- Under Replication, you can select either locally-redundant or geo-redundant. The default selected option is Locally-redundant(LRS).
-
Click OK and then click Next: Review + create.
-
After the validation check is successful, a summary of all the parameters associated with the Sophos Firewall instance is shown. After you review the summary, click Create to start the deployment of Sophos Firewall in your Azure portal account.
-
The deployment process takes a few minutes. When it’s successful, a confirmation message appears. Click Go to resource group to see the resources that have been deployed in your account along with the Sophos Firewall VM instance.
-
Click the Sophos Firewall VM name to see its properties.
-
You can see the Public IP address and the DNS name associated with the Sophos Firewall VM instance. To copy the DNS name, click the copy icon.
Sophos Firewall web admin console configuration
-
Open a new browser window and access Sophos Firewall on HTTPS port 4444 with the DNS name. Example:
https://<DNS name>:4444
. -
Enter the username as
admin
and the password you set up on Azure for the firewall (step 4 of the previous procedure), and then click Login. -
Accept the Sophos End User Terms of Use.
Register your firewall appears.
-
Select one of the options and click Continue.
If your license type is BYOL, you can either register your Sophos Firewall by entering its serial number, start a 30-day trial that automatically generates a serial number for the firewall, or migrate an existing UTM 9 license.
Claim your firewall with Sophos Central appears.
-
Click Claim in Sophos Central.
You're redirected to Sophos Central. You'll be prompted to sign in if you're not signed in already.
Claim firewall appears. You'll see the serial number and the Sophos Firewall model.
-
Select Claim with 30 days Xstream Protection, Web Server Protection and Email Protection evaluation license, or Just claim the firewall with Base license.
-
Click Claim firewall to start the license synchronization.
When the license synchronization process is completed, you'll see the modules for which you have subscriptions, and the expiry dates.
-
Click Continue.
This will finish the deployment. You're redirected to the dashboard page of Sophos Firewall.
(Optional configuration) Routing the LAN subnet traffic to the internet via Sophos Firewall.
Warning
Before making the following changes, make sure you turn off the Sophos Firewall VM.
-
In the Azure portal, go to the resource group where you've created the firewall and click PortA (the Sophos Firewall LAN interface). Go to Settings > IP Configurations and click ipconfig.
-
Select the Assignment type as Static and click Save.
-
In the Azure portal, search for Route table, select it, and click Add.
-
For Subscription, select the one associated with your azure account.
- For Resource group, select the one where you've created the firewall.
- Select the associated Region and enter a name for the route table.
Then click Review + Create.
-
When the validation check passes, click Create.
-
Open the route table, go to Settings > Subnets, and click Associate.
-
Select the Virtual network created in step six and select its associated LAN subnet and then click OK.
-
In the same route table, go to Settings > Routes and click Add.
-
Enter a Route name.
- Keep the Address prefix as
0.0.0.0/0
, which means the route will be applicable to any destination for traffic originating from the LAN network. - Select the Next hop type as Virtual appliance.
- Enter the static IP address (shown in step twenty-five) of PortA as the Next hop address and click OK.
All traffic originating from the LAN subnet is now routed through PortA of Sophos Firewall.
- Keep the Address prefix as