Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Manually configure load-balancing on Azure

You can deploy and load-balance Sophos Firewall as a virtual machine on Microsoft Azure. The deployment involves the following steps:

  1. Configure the Azure portal.
  2. Configure Sophos Firewall.
  3. (Optional) Route the LAN subnet traffic to the internet through Sophos Firewall.

Azure portal configuration

To deploy Sophos Firewall on Azure, do as follows:

  1. Sign in to the Azure portal (https://portal.azure.com), and in the marketplace, click Create a resource under Azure services.

    Azure create a resource.

  2. Search for Sophos Firewall and select it.

    HA Azure marketplace search result.

  3. Click Create to proceed with the deployment.

    Azure create firewall.

  4. Select the subscription associated with the Azure portal account.

    1. Resource group: You can select an existing resource group or click Create new to create a new one.
    2. Region: Select the region closest to you.
    3. VM Name: Enter a name for the firewall.
    4. Password / Confirm password: Enter the password used by the default admin (username "admin") to sign in to Sophos Firewall. Enter the password again and click Next.

    Subscription details.

  5. Under License Type, select one of the following:

    1. PAYG: Enables consumption based on hourly billing through the Azure Marketplace.
    2. BYOL: Requires you to acquire a license from a Sophos reseller. Contact your Sophos account representative or email publiccloud@sophos.com for more information.
  6. Select the Virtual machine size. This is the size of the Sophos Firewall VM instance. The default size selected is 1x Standard F2s v2 (2 virtual CPUs, 4 GB memory) because it’s the minimum requirement for Sophos Firewall. Click Change size to change this as per your requirement.

    License details.

  7. In the Virtual Network section, you can choose an existing virtual network or create a new one.

    If you click Create new, a pop-up window appears. Do as follows:

    1. Enter a Name for the network.
    2. Enter an Address range. This is the IP address subnet of the entire virtual network and usually configured with a /16 CIDR.
    3. In the Subnets section, you can enter a name for the LAN and WAN networks and assign an IP address range to the subnets from the virtual network IP address range. This is generally configured with a /24 CIDR.

      Virtual network details.

  8. Click OK.

  9. Select the newly created subnets for the LAN subnet and WAN subnet of Sophos Firewall.

    Select LAN and WAN subnets.

  10. For the Public IP name, you can either select an existing public IP, or create a new one.

    If you click Create new, a pop-up window appears. Do as follows:

    1. Enter a name for the new Public IP address.
    2. Select the required SKU.
    3. Select the IP assignment type as either Dynamic or Static.
    4. Click OK.

      Create public IP name.

  11. Configure a unique domain name that you can use to access the web admin console and SSH console of the Sophos Firewall VM instance.

    Configure domain name.

  12. In the Storage Account section, you can choose the existing storage account or create a new one.

    If you click Create new, a pop-up window appears. Do as follows:

    1. Enter a unique name for the account.
    2. Under Account kind, select an account from the list. The default selected option is Storage (general purpose v1).
    3. Under Performance, you can either select Standard or Premium for the associated account.
    4. Under Replication, you can select either locally-redundant or geo-redundant. The default selected option is Locally-redundant(LRS).
    5. Click OK and then click Next: Review + create.

      Create storage account.

  13. After the validation check is successful, a summary of all the parameters associated with the Sophos Firewall instance is shown. After you review the summary, click Create to start the deployment of Sophos Firewall in your Azure portal account.

    Validation check.

  14. The deployment process takes a few minutes. When it’s successful, a confirmation message appears. Click Go to resource group to see the resources that have been deployed in your account along with the Sophos Firewall VM instance.

    Deployment successful.

  15. Click the Sophos Firewall VM name to see its properties.

    View VM properties.

  16. You can see the Public IP address and the DNS name associated with the Sophos Firewall VM instance. To copy the DNS name, click the copy icon.

    Copy DNS name.

Sophos Firewall web admin console configuration

  1. Open a new browser window and access Sophos Firewall on HTTPS port 4444 with the DNS name. Example: https://<DNS name>:4444.

  2. Enter the username as admin and the password you set up on Azure for the firewall (step 4 of the previous procedure), and then click Login.

  3. Accept the Sophos End User Terms of Use.

    Register your firewall appears.

  4. Select one of the options and click Continue.

    If your license type is BYOL, you can either register your Sophos Firewall by entering its serial number, start a 30-day trial that automatically generates a serial number for the firewall, or migrate an existing UTM 9 license.

    Register firewall.

    Claim your firewall with Sophos Central appears.

  5. Click Claim in Sophos Central.

    Select Claim in Sophos Central.

    You're redirected to Sophos Central. You'll be prompted to sign in if you're not signed in already.

    Claim firewall appears. You'll see the serial number and the Sophos Firewall model.

  6. Select Claim with 30 days Xstream Protection, Web Server Protection and Email Protection evaluation license, or Just claim the firewall with Base license.

  7. Click Claim firewall to start the license synchronization.

    Claim firewall.

    When the license synchronization process is completed, you'll see the modules for which you have subscriptions, and the expiry dates.

  8. Click Continue.

    Setup complete.

This will finish the deployment. You're redirected to the dashboard page of Sophos Firewall.

(Optional configuration) Routing the LAN subnet traffic to the internet via Sophos Firewall.

Warning

Before making the following changes, make sure you turn off the Sophos Firewall VM.

  1. In the Azure portal, go to the resource group where you've created the firewall and click PortA (the Sophos Firewall LAN interface). Go to Settings > IP Configurations and click ipconfig.

    Select IPconfig.

  2. Select the Assignment type as Static and click Save.

    Select static.

  3. In the Azure portal, search for Route table, select it, and click Add.

    Find route table.

  4. For Subscription, select the one associated with your azure account.

    • For Resource group, select the one where you've created the firewall.
    • Select the associated Region and enter a name for the route table.

    Then click Review + Create.

    Create route table.

  5. When the validation check passes, click Create.

    Save route table.

  6. Open the route table, go to Settings > Subnets, and click Associate.

    Associate subnets.

  7. Select the Virtual network created in step six and select its associated LAN subnet and then click OK.

    Select LAN subnet.

  8. In the same route table, go to Settings > Routes and click Add.

    Add route.

  9. Enter a Route name.

    • Keep the Address prefix as 0.0.0.0/0, which means the route will be applicable to any destination for traffic originating from the LAN network.
    • Select the Next hop type as Virtual appliance.
    • Enter the static IP address (shown in step twenty-five) of PortA as the Next hop address and click OK.

    Route settings.

    All traffic originating from the LAN subnet is now routed through PortA of Sophos Firewall.