IT, Cloud, Windows Etc

To content | To menu | To search

Sunday 18 June 2017

Sophos XG Firewall Setup on Hyper-V

The Sophos XG Firewall is a powerful and advanced NextGen Firewall. It works well in virtualized environment. You can find more info about Sophos XG Firewall here

The XG firewall run on Hyper-v as a Gen 1 VM, it supports VLAN in access or trunk mode and VMQ. You can use up to 8 net adapters. If you need more, you can use VLAN trunking to create more net adapters.

There are 2 ways to create an XG Firewall. You can use the ready to use VHD files or you can install it from the ISO.

I will cover only the first one.

First, we need to design the network. We need at least 3 net adapters, one for the admin network used for the first setup, one for the wan connection and one for LAN connection.

The first one is used during the setup to configure the firewall. It must be on a separate network, you will need to use 172.16.16.0/24 and you must be able to open a web browser to this network.

The WAN adapter must be bound to a virtual switch with internet access. It’s important that the firewall can access the Internet during Setup as it’s used to register the device.

The LAN adapter can be bound to any virtual switch and configured as you need. But remember, hyper-v default VM net adapter do not allow to have multiple MAC on a port, so you will have to disable this option.

Be aware the order of the net adapter is important. The first net adapter (eth0) will be used for the initial setup and the second for external access.

Let’s start,

#this script setup a new XG Firewall
#this is the Hyper-v Server used to run the virtual Firewall
$ComputerName = "MyHyperVServer"
#the name of the virtual firewall VM
$vmname = "MyNewFirewal"

 #the Ram of the firewall, from 1Gb to unlimited 
$ram = 6GB
#the number of vCpu, from 1 to unlimited check your licence
$vmproc = 4

#the path of the VM on the Hyper-V server

$path = "e:\xfSophosFirewall"



#Names of the virtual switch used in this example
#the admin vSwitch used for initial setup and later for admin
$vswitchadmin = "admin"
#The virtual Switch used for external access during the setup and later
$vswtichwan = "Wan"
#the virtual switch used for internal network
$vswitchlan = "lan"

#the Path of the 2 VHD
$fwPRIMARYVhd = "$path\PRIMARY-DISK.vhd"
$fwAUXILIARYVhd = "$path\AUXILIARY-DISK.vhd"

#create the VM
New-VM -Verbose -name $vmname -MemoryStartupBytes  $ram  -Generation 1  -Path $path  -ComputerName $ComputerName
#Setup vm processor
 Set-VMProcessor  -Count $vmProc -VMName $vmname -ComputerName $ComputerName 

#remove all net interface 
Get-VMNetworkAdapter -VMName $vmname -ComputerName $ComputerName | Remove-VMNetworkAdapter

# add the 2 harddrive to the newly vm
Add-VMHardDiskDrive -path $fwPRIMARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0
Add-VMHardDiskDrive -path $fwAUXILIARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0

# Admin setup interface 
# I use a vlan, but you can also use a dedicaded network
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchadmin -Name setup 

#Add the wan interface, on the 
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswtichwan -Name wan
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName wan -access -vlanID 5 -computername $ComputerName

#add the lan interface. It's a trunk interface with a default vlan
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchlan -Name lan
Set-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -Name lan  -MacAddressSpoofing On
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName lan -Trunk -AllowedVlanIdList "6,7" -NativeVlanId 10

After the setup, you should change the admin/setup IP address to fit your admin network. If you forget this step, you may fail to setup another XG Firewall on the same network as 2 devices will have the same IP 172.16.16.16.

You can also find the script here

Friday 5 February 2016

Create a Sophos XG firewall on Hyper-V

Like UTM Firewall, Sophos XG firewall work as a VM on Hyper-v. There is an option to download a ready to run package. But there is a lack of documentation. The package, now VI-SFOS_15.01.0.HYV-376.zip, contain 2 VHD files, PRIMARY-DISK.vhd and AUXILIARY-DISK.vhd. Upload this 2 files in a folder on your hyper-v server. And create a generation VM, with the 2 disk attached on the first IDE controller. Select the amount of ram (1 Gb is the minimum) and the number processor you need. Add at least 2 network cards, remember that the first one will be the LAN and will be used for initial setup.

New-VM –Name "XGDemo" –MemoryStartupBytes 1GB -Generation 1 -Path 'X:\SophosXG' 
Set-VMProcessor  -Count 2 -VMName "XGDemo"
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\PRIMARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 0
Add-VMHardDiskDrive -VMName "XGDemo"  -Path "X:\SophosXG\AUXILIARY-DISK.vhd" -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC1" -SwitchName SetupLan
Add-VMNetworkAdapter -VMName "XGDemo"  -Name "LAN_NIC2" -SwitchName LAN


Remember that the first NIC, LAN_NIC1, is the management port. The default IP for the management port is 172.16.16.16. It’s a problem even if you have the 172.16.16.16 as internal network. You need to create an access to https://172.16.16.16:4444 to setup the firewall. The solution creates a vswitch, internal or external, to setup the firewall from the parent partition, from another VM or an external network, if you need to access outside the hypervisor but be sure to have a dedicated nic on the parent host and a dedicated network.

You can start the VM and once you get this message
SophosXGSetup3.png

You can open your browser to setup your firewall
SophosXgFirewall