Open in app

Sign in

Write

Sign in

Running Sophos XG Firewall in Telefonica’s OpenCloud ECS

Sergio Carmona
Cobalt Bond
Published in
7 min readMay 25, 2018

Some time ago we published a story to explain how to run a Fortigate virtual appliance in OpenCloud (Telefonica’s Public Cloud Platform). Well, this time I am going to explain how to set-up a Sophos XG Firewall Virtual Appliance in OpenCloud.

The process is quite straight forward but there are a couple of tricky steps you have to consider.

Uploading the Sophos VM image file

The first thing we need is to have access to a Sophos VM image. You can download it from sophos’ web portal requesting a free trial.

We need to get the Xen image. In this case I will use VI-SFOS_17.0.6_MR-6.XEN-181 that is currently the last release when writing this story:

VI-SFOS_17.0.6_MR-6.XEN-181.zip

First we need to upload the image disk file to OBS using OBS Browser or any other similar tool that can manage S3 Compatible Storage.

To do this we need to extract the content of zip file and upload to OBS only the main disk image sf_virtual-disk1.vmdk:

Importing the Sophos VM image file into IMS

Once the image is uploaded into OBS we can import it to IMS (just go to IMS menu and select “Create Private Image” and then select to create from a file, select the file from your OBS Bucket and set the OS Type to “Other, 64 bits” and 4GB…we will add later an additional volume to role as logdisk.

Creating the ECS based on the imported image

Once the image file has been imported we can apply for a ECS based on it.

Although the minimal configuration that can run XG Firewall is 1 CPU and 1 GB I recommend to use at least 2 CPU and 4 GB of RAM. During my first tests when using minimal configuration the ECS load was very high and also the memory consumption. It seems that Sophos XG Firewall demands a lot of resources.

For the OS volume we recommend minimal size (4GB) and SSD to have the best performance.

The Data disk will be added later. (For some reason I don’t totally understand if you add the data disk in this stage the disk is not recognized by the VM. It took me several tries to understand what was happening with the disk).

We will also need to provide 2 NICs in different subnets (for example front-end an back-end subnets) and assign an EIP to the front-end one.

If you don’t have a VPN from your premises to OpenCloud subnets I recommend you to provide a temporary EIP also to the back-end NIC until you finish the network and management configuration in the Firewall…otherwise you won’t be able to access the web GUI.

Setting up a few important things:

Once our Sophos VM ECS is running we need to perform some tasks to preconfigure and grant access to the GUI.

Firewall interfaces pre-setup:

Now that we have already started the ECS is time to add the data volume. Just add a second volume (I recommend 80GB SSD) and attach it to /dev/sdb.

Once added you need to restart the ECS from the OpenCloud console.

When the ECS has been restarted we need to access through Open Cloud VNC to the VM to configure Network interfaces and default route.

If you find an error in this screen you have probably missed something. The most common error would probably be this one:

If every thing has gone ok in the previous steps you shoud see something like this:

The default password when accesing the console is “admin”. Once logged in you’ll see a menu like this:

Select option [5] (Device Management) and then option [3] (Advanced Shell)

Now we need to add the default route:

# route add default gw <front-end subnet gateway IP>

Next step is to set up Network interfaces. Go back to the console menu and select option [1](Network Configuration) and then again option [1](Interface configuration) set-up DHCP so that the interfaces get the ECS NIC Ips or set static IPs (be sure to assign the same that are assigned to the ECS NICs)

Now you should be able to access to the web GUI using the Back-end EIP (or the internal IP if you are connected through VPN to OpenCloud)

http://backend-ip:4444

Use admin/admin to log in. I recomend you to skip the wizard and go directly to the web GUI to set up final steps.

Set up a FW policy to enable outbound traffic from LAN:

Have a look at Interfaces configuration

Be sure that wan-link status is ok

A very important step: Disabling SRC/DST Verification

As the traffic from Sophos XG Firewall will be flowing from its own interfaces (with their own mac addresses) we need to disable src/dst verification in the NICs configuration in Open Cloud console in order to avoid Open Cloud to block internal traffic that comes from/to unknown mac addresses:

Almost done…

Now the firewall is ready to process traffic coming from the subnet (LAN)but…the ECS are using the subnet gateway so we need to access each of the ECS that we want to send traffic to the firewall and modify their default gateway. We have 2 ways:

  • assign a temporary EIP to login into each of them
  • access to them through their internal IP using a VPN

Once we can login into one then we need to change the default gateway:

For example lets say we have a Linux ECS (CentOS 7) we have to edit the network-script for the eth0 interface and change from DHCP to static and set up the GATEWAY to the IP assigned to port2 in the firewall:

[root@ecs-whatever]$ vi /etc/sysconfig/network-scripts/ifcfg-eth0DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
NM_CONTROLLED="no"
PERSISTENT_DHCLIENT="y"
IPADDR=10.99.95.116
NETMASK=255.255.255.0
GATEWAY=10.99.95.27     (FW LAN IP)

If you were accessing the ECS through OpenCloud VPN don’t forget to create a static route in the ECS to allow VPN traffic to return back through the default gateway, otherwise VPN traffic would be coming from the default gateway but returning back through the firewall and that would be a problem!!!

We can now reboot ECS or Network service in order to apply changes in the network configuration.

If you were accessing through EIP you can now unbind the EIP from the ECS’s NIC and release it.

Don’t forget, if it this was the case, to create a port forwarding rule in the firewall otherwise you won’t be able to login into the ECS. It’s easy you just only have to create a Virtual IP to redirect external port to internal port and IP and create an IP policy to allow traffic from WAN to LAN in the Virtual IP object.

Let’s try to download a virus file from fortiguard labs:

http://metal.fortiguard.com/generated/eicar.com

We can see that the traffic has been blocked by the Firewall as it has been detected as malware:

And that’s all…

As always…don’t forget to deal with your security groups in Open Cloud and also with the right policies in the Firewall to minimize risk exposition while allowing the right traffic. Don’t also forget to set up a proper password for the user admin in the XG Firewall.

Hope you have found this reading helpful and if you have any doubts or get stucked with the process we’ll be glad to support you.

Cheers!

Cloud Computing
Sophos
Firewall
VPN
Open Cloud

--

--

Sergio Carmona
Cobalt Bond

Written by Sergio Carmona

14 Followers
Editor for

a veces no y a veces tampoco

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams