Setup Sophos XG firewall on virtual server


There are some tricks required to overcome Sophos’ install idiosyncrasies when trying to install Sophos XG firewall from ISO on a Vultr virtual server.

Sophos UTM (the predecessor) used to be easy to install, but with XG Firewall Sophos have gone back to inflexibility with some basics, that, in my opinion, are unnecessary (SOPHOS, these are things you should fix):

  • 2 network interfaces needed
  • Pre initialisation command line does not allow setting default gateway of any interfaces
  • Pre initialisation command line does not allow setting static IP of all interfaces (only on interface 1)
  • Changing network settings in web admin during initialisation causes loss of access (in this setup case)

So these problems require certain things from Vultr:

  • 2 instances (1 for the XG and another – Linux or Windows – to initially manage the XG)
  • 2 IP addresses in the same subnet (necessary because the XG will only see IPs in the same subnet)
  • Console access to the running instances, which is provided freely by Vultr.
  • Download link to Sophos’ XG ISO

Step by step what I did:

  1. Started 10 (yes ten) servers of the cheapest kind in the hope to get 2 IP addresses in the same subnet, which I did.
  2. Shutdown the other 8 servers as soon as possible, as they cost money.
  3. “Converted” those 2 IP addresses to “reserved IP addresses” – this way you keep them to assign them to the 2 instances you need for this setup process.
  4. Shutdown the 2 instances whose IP addresses you have taken.
  5. Download the Sophos XG ISO to Vultr
  6. Start an instance to install from that ISO and assign one of those 2 reserved IP addresses
  7. Go through the off ISO setup process for Sophos XG. Follow those instructions
  8. Remove ISO from instance. This will reboot the instance and setup will continue.
  9. Login and set the port 1 IP address to the IP address you have allocated above. Then the web interface becomes visible to this network subnet only.
  10. Start another instance of choice with the other reserved IP address in the same subnet. I used a Linux instance, which I ssh’d into and made a tunnel to the XG web interface https://<IP>:4444, but there is no reason (other than cost) why you could not use a Windows instance to access the same web interface from there.
  11. In the Sophos web interface setup enter new password, disable install new firmware and agree to license
  12. select “Continue offline” and confirm you want to continue
  13. Give your machine a name and select your timezone (although you can also change that later)
  14. Continue after basic setup complete.
  15. The next step is critical to get right put only the IP address and the subnet mask exactly like in the command interface in the “LAN Address and Internal Client Network Size” fields. Otherwise you will loose access to the instance and have to start from scratch.
    And disable DHCP
  16. Continue without ticks on network protection (can be changed later)
  17. put your email addresses in the next step  (can be changed later)
  18. Finish. The XG will reboot
  19. Once setup is complete go back into the web interface and login with your new password. You will get the normal XG web interface and you can then make the adjustments in your network settings to get internet access on your XG and register and update etc.
  20. IMPORTANT: make sure you give yourself access to the admin interface from the WAN link otherwise you are locking yourself out and you can start again. See System/Administration/Device Access

Optional extras:

  • I did not register or install licenses or even started a trial and only updated the XG after setup and then I made a snapshot of the XG, because I wanted to release the reserved IP address, as it costs extra unnecessarily. When you create an instance from the snapshot it will have a new dynamic IP address, which is different and you will need to set this in the console interface, which works perfectly for setting the default gateway after setup (Sophos, why not during setup?). Then you can access your new XG via the new IP address. (Yes you can start multiple, because each can get their own IP, serial number and license).
  • Shutdown all unneeded instances and delete the reserved IPs