SFM Getting Started Guide · 2019-03-06 · C. Create Device Group ... While your virtual image is being downloaded, open the mail you received in step 2 asking to activate your account

March 2019 Page 1 of 50

Getting Started Guide Sophos Firewall Manager Document Date: March 2019

Sophos Firewall Manager Getting Started Guide


Contents

Change Log ..................................................................................................................................... 3

Preface ............................................................................................................................................. 4

Supported SFOS versions............................................................................................................. 4

Installation Instructions ................................................................................................................. 4 Recommended hardware requirement ................................................................................................. 4

Minimum hardware requirement for Software Devices (ISO File) .............................................................. 4 Download ........................................................................................................................................... 4

Deploying a Virtual or Software Device....................................................................................... 9 1. Virtual Appliances ....................................................................................................................................... 9 2. Software Devices (ISO File) ...................................................................................................................... 9

Creating an Installer for Software Appliance ......................................................................................... 9 Installation process ....................................................................................................................................... 10 Booting ........................................................................................................................................................... 10

Importing Virtual Firewall Manager in Virtual Devices.......................................................................... 12 VMware Virtual Machine .............................................................................................................................. 12 Xen Virtual Machine: .................................................................................................................................... 16

KVM ................................................................................................................................................. 21 Hyper-V Virtual Machine .................................................................................................................... 26

First-Time Device setup ............................................................................................................... 41 A. Activation ............................................................................................................................................... 41 B. Basic Setup ........................................................................................................................................... 42 C. Device Activation .................................................................................................................................. 42 D. Device Registration .............................................................................................................................. 43 E. Synchronize License ............................................................................................................................ 44 F. Configure Sophos Firewall Manager (SFM) ....................................................................................... 45

Start using Sophos Firewall Manager ....................................................................................... 47 A. Understanding the 3 work areas – Device Configuration, Template Configuration & System Management ................................................................................................................................................. 47 B. Add devices to manage ....................................................................................................................... 47 C. Create Device Group ........................................................................................................................... 50 D. Start Managing Devices ....................................................................................................................... 50 E. Templates ............................................................................................................................................. 50 F. Monitoring ............................................................................................................................................. 50



Change Log

Date Change Description

16-11-2015 Updated Recommended Hardware Requirement section as per number of devices that can be managed by Sophos Firewall Manager.

20-06-2016 Updated Recommended Hardware Requirement section for minimum hardware requirement for Software Devices (ISO File).

01-02-2017 The entire guide was updated for version 16.

14-06-2017 Updated all instances of SF-OS to SFOS.

12-09-2017 Removed the Prerequisite to configure 4 Virtual Network Interfaces in Xen Virtual Machine, KVM and Hyper-V Virtual Machine section.

06-03-2019 Updated Recommended Hardware Requirement section for:

Minimum 2 network interface cards required for virtual software.

Recommended CPU changed to Octa core for SFMv1000.



Preface

This guide describes how to download, deploy and run Sophos Firewall Manager (SFM) as a

Software Appliance on custom hardware or as a virtual machine. Supported SFOS versions

SFM (SFM v15.01.0.206) supports Firewalls using the following SFOS versions:

Hardware Appliance: SFOS 15.01.0.292 and above Software Appliance: SFOS 15.01.0.143 and above Virtual Appliance: SFOS 15.01.0.246 and above

Installation Instructions

Recommended hardware requirement

Virtual and Software deployments of SFM are licensed based on the number of devices managed and a no-charge evaluation license is available for managing up to 5 firewall devices.

Virtual /Software SFMv5* SFMv15 SFMv50 SFMv100 SFMv200 SFM v500

SFMv1000

Number of Sophos Firewall OS devices supported

5 15 50 100 200 500 1000

Recommended CPU** Dual Core

Dual Core

Dual Core

Dual Core

Dual Core

Quad Core

Octa Core

Recommended Memory (vRAM)

2 GB 2 GB 4 GB 4 GB 8 GB 8 GB 16 GB

Recommended HDD 160 GB 160 GB 250 GB 500 GB 500 GB 1 TB 1 TB

Network Interface Support (Minimum /Maximum)

2 / 4 2 / 4 2 / 4 2 / 4 2 / 4 2 / 4 2 / 4

* Free for evaluation purpose ** CPU frequency 2.7 GHz or equivalent

Minimum hardware requirement for Software Devices (ISO File)

1 GB RAM

2 Network Interface Cards 64 GB HDD/SSD size

Download

SFM is available as Virtual or as Software Device (on custom hardware).

Click the link https://sophos.com/en-us/products/next-gen-firewall/free-trial/sfm.aspx to register

for MySophos account and download the virtual or software device for Sophos Firewall Manager (SFM).

To register for MySophos Account, fill in the required details as shown in the image below and

click Submit.

https://sophos.com/en-us/products/next-gen-firewall/free-trial/sfm.aspx



Note:

After clicking submit, you will receive an email at the Email Address specified in the step above

asking to activate your account. For now, skip activating your account and proceed directly to step 3.

Fill-in you’re the following organization details and click Submit.

You will be redirected to the End User License Agreement page, select the check-box against ‘I accept the terms and conditions’ and click Submit to initiate the download process of a ZIP file containing the virtual image for Sophos Firewall Manager.



…….

You will be redirected to download page as shown below, click on the download button to

initiate the download process of a ZIP file containing the virtual image for Sophos Firewall

Manager.





In addition, you will receive an email with subject line ‘Your Sophos Serial Number’ containing

the serial number to activate and register your Firewall Manager. For now, just save the serial number and proceed to step number 6 since you will need the serial number for Device Activation and Registration.



Activate your MySophos account. While your virtual image is being downloaded, open the mail you received in step 2 asking to activate your account. Click the link provided in the mail to activate your account. On successful activation you will be redirected to following page.

Deploying a Virtual or Software Device

1. Virtual Appliances

A. VMware Virtual Machine (VMware Workstation, ESXi_Server) B. Xen Virtual Machine C. Hyper-V Virtual Machine

D. KVM Virtual Machine

Just import the VM file into Virtual Device of choice, and set the hardware specs for your VM.

2. Software Devices (ISO File)

The downloaded ISO file can be installed on the custom hardware using an Installer. To create the Installer, see Creating an Installer section.

Creating an Installer for Software Appliance

To install Software, you will need to write ISO to a standard USB thumb drive.

On Windows:

1. Download and run the Win32 Disk Imager utility.

(http://sourceforge.net/projects/win32diskimager/)

2. Run the utility, and browse the downloaded ISO file. The application will default to looking for .IMG files. Be sure to change the file filter to (*.*), then locate and select the Firewall

Manager ISO file. 3. Select the USB thumb drive you wish to install the ISO on. The thumb drive should be at

least 1GB in size, and writing the ISO to it will erase any data it currently contains.

4. Once the process is complete, your thumb drive is ready to use.

On OS X:

1. Open the Disk Utility included on OS X. 2. Locate the thumb drive in the list of disks.



3. On the partitions tab, change the volume scheme to “1 partition”, and the format to “Free Space”, then click apply. 4. You will need to convert the downloaded ISO file into a new format. Open a terminal

window, and navigate to the path where the ISO is stored. 5. Run the command:

hdiutil convert -format UDRW -o sfm.img 15.01.0.206_ISO.iso

6. The converted ISO will be named sfm.img.dmg. 7. Next, locate the device path of the USB device, by running diskutil list.

8. For example, let’s say your USB thumb drive’s path is /dev/disk9 but be sure to use the actual path of your thumb drive.

9. Next, we’ll write the converted ISO to your thumb drive, with the following command:

dd if=./sfm.img.dmg of=/dev/rdisk9 bs=1m

Note:

The = path adds an “r” in front of the device path name. This is deliberate, and enables

RAW disk access. You may leave the r out, but the process will go much more slowly. You may need to run “sudo dd <rest of command>” for the imaging to work on your

system.

10. Wait a few minutes for the process to complete. When you return to a command prompt, the

thumb drive will be ready, and can be ejected.

11. If you run into problems, see http://borgstrom.ca/2010/10/14/os-x-bootable-usb.html for more detailed instructions.

Installation process

Since this is a Software/Virtual Device, you may need to change BIOS settings for the thumb drive to boot, if you are installing on your own hardware. You will also need to connect a monitor

and keyboard, or a serial cable to the system to complete. You will need to respond to two prompts to begin the installation.

Booting

When prompted, press y<enter> to start the install.

The installation progress will be shown on the screen, as it continues.

http://borgstrom.ca/2010/10/14/os-x-bootable-usb.html



Once the installation is complete, remove the thumb drive, and reboot the device. Give it a

couple minutes for the first boot to complete.

At this point, the system is now running Sophos Firewall Manager. You can now setup your device and start using SFM.



Importing Virtual Firewall Manager in Virtual Devices

VMware Virtual Machine

Download the .zip file containing the Sophos Firewall Manager OVF.

Open VMware and open .ovf file.



Click on Import.

Select the SFM Virtual machine and click Play virtual machine link to start Sophos Firewall virtual machine.



Customize Configuration - Default Hard disk2 will be 160 GB, you can increase Disk size using following steps:

1. Click on Edit virtual machine settings.

2. Click on Hard Disk 2 then click on Expand... button.

3. Enter Maximum Disk Size as per your Requirement.



4. You will get the below Successfully Expanded Message. Click on OK.

5. After reboot, you can check Expanded Disk 2 in Virtual Machine settings Page.



You can now setup your device and start using SFM.

Xen Virtual Machine:

Base Configuration

One vCPU 1GB vRAM Primary Disk with 4GB size

Report Disk with 80GB size

Prerequisites

Make sure that XenServer is already installed in your network. Install XenCenter, a desktop Graphical User Interface (GUI) application for managing

XenServer.

Importing Virtual Firewall Manager

Download the .zip file containing the Sophos Firewall Manager OVF. Open XenCenter and select the XenServer where you want to deploy Sophos Firewall Manager

Virtual Appliance.

Right click on the selected XenServer and click Import to open the downloaded .ovf file.



Navigate to location where .ovf is stored and select it.

Click Next to configure Location, Storage and Security one by one. After that, click Next to enable/disable Operating System Fixup, a feature when enabled,

ensures hypervisor Interoperability. Generally, Operating System Fixup is not required and by default, “Don’t use Operating System Fixup” is selected. Sophos Firewall Manager recommends that you do not change the default selection.



Click Next to configure the “Transfer VM Settings”. Transfer VM is a temporary VM, created during the deployment process, which is used to perform the import operation.

From the drop-down list against ‘Network’, select the network on which the temporary VM will run. Specify an unused IP Address from the pool or standalone server you selected in the very beginning of Step 3. Alternatively, you can choose to automatically obtain network

settings using DHCP.



Click Next to continue to the final step of the “Import OVF/OVA Package” wizard i.e. reviewing the import settings.

Click Finish to exit the “Import OVF/OVA Package” wizard. The deployment process takes time

to complete. Please wait while the process completes.

This installs Sophos Firewall Manager Virtual Appliance on your machine.

Start virtual machine - Right click the deployed Virtual Appliance and click Start to access Sophos Firewall Manager.

Enter the administrator password i.e. ‘admin’ to continue to the main menu of the Sophos Firewall Manager Virtual Appliance.



Steps to Customize Hard disk size

Power Off virtual Machine, go to storage option and right click on disk-2. Click on Properties.

Go to “Size and Location” option to change disk size.

Click on OK button to apply the changes and power on Virtual Machine. You can now setup your device and start using SFM.



KVM

Base Configuration

One vCPU

1GB vRAM Primary Disk Auxiliary Disk

Prerequisites

Make sure you have an x86 machine running a recent Linux kernel on an Intel processor with

VT (virtualization technology) extensions, or an AMD processor with SVM extensions (also called AMDV).

Use commands given below to check if your CPU supports Intel VT or AMD-V:

For Intel VT: grep --color vmx /proc/cpuinfo For AMD-V: grep --color svm /proc/cpuinfo


Download the .zip file containing the Sophos Firewall Manager .qcow2 image.

Open KVM, navigate to File > Add Connection. Click on Create a new virtual machine icon. Specify name for the virtual machine and select Import existing disk image and browse to the

folder containing Sophos Firewall Manager .qcow2 file titled ‘<Appliance Key>- disk1.qcow2’, where <Appliance Key> stands for your Sophos Firewall Manager Virtual Appliance key.



Click on Open. Keep both OS type and Version as Generic and click Forward to continue to the next step.

Assign vRAM and vCPU to be used by the virtual machine. Click Forward to continue to the next step.



As mentioned in the Base Configuration section, there underlies a base virtual hardware

configuration without which Sophos Firewall Manager Virtual Security Appliance goes into “FAILSAFE” mode. To ensure that Virtual Sophos Firewall Manager boots up with the base virtual hardware configuration, you need to customize the configuration before clicking

Finish. Tick the checkbox against Customize configuration before install parameter and click Finish.



Customize Configuration - As displayed in the screen below, modify the Disk bus and Storage Format information of Disk1, added in earlier steps, to Sophos Firewall Manager supported settings.

Add Auxiliary Disk to the Virtual Machine Go to Add Hardware > Storage and click Select managed or other existing image to add the Sophos Firewall Manager Virtual Appliance Auxiliary Disk file titled ‘<Appliance Key>disk2.qcow2’, where <Appliance Key> stands for

your Sophos Firewall Manager Virtual Appliance key. Change Device type to Virtio Disk and Storage format to qcow2 and click Finish to successfully add the Auxiliary Disk to the Virtual Machine.



Add vNICs to the Virtual Machine: o Prerequisite - It is mandatory to configure at least three Virtual Network Interfaces

and Sophos Firewall Manager recommends that all three of them should be

Bridge interfaces. o Go to Add Hardware > Network to add a vNIC to the Virtual Machine. o Select a bridge interface as ‘Host device’ and change ‘Device model’ to ‘virtio’ and

click Finish to successfully add the vNIC to the Virtual Machine. o Repeat the same procedure to configure at least 3 Virtual Network Interfaces (of

Device model type virtio) to the Sophos Firewall Manager Virtual Security

Appliance.

Begin Installation: After configuring minimum virtual hardware requirements for Virtual Sophos

Firewall Manager, click Begin Installation to complete the installation process of the Virtual Machine.



Enter the administrator password i.e. admin to continue to the Main Menu of the Sophos Firewall Manager Virtual Security Appliance.

This installs Sophos Firewall Manager Virtual Security Appliance on your machine. You can now setup your device and start using SFM.

Customize Hard disk size: Default size of the Hard disk2 will be 160 GB, You can increase the disk size by executing following command:

qemu-img resize AUXILIARY-DISK.qcow2 +<disk_size>GB

For executing above command you should navigate to 'AUXILIARY-DISK.qcow2' file location.

For example your file placed under sfmos folder then you should navifate to sfmos (

/home/sfmos/) and execute the command (qemu-img resize AUXILIARY-DISK.qcow2 +500 GB)

Hyper-V Virtual Machine

Base Configuration

One vCPU

1GB vRAM Primary Disk Auxiliary Disk

Prerequisite

Make sure that Microsoft Hyper-V Server 2008/2012 is already installed in your network. For Microsoft Hyper-V Server installation instructions, refer to the Microsoft documentation:

http://technet.microsoft.com/en-us/library/dd283085(v=ws.10).aspx http://technet.microsoft.com/en-us/library/hh831620.aspx


Download and Extract VHD Package: Download the .zip file containing the Sophos Firewall

Manager Virtual Disk and store it in your machine. Connect to Host Server: Open Hyper-V Manager and go to Action > Connect to Server to

connect to the host server on which you want to deploy the VHD template. Provide the IP

Address of the Host Server click OK to continue.

http://technet.microsoft.com/en-us/library/dd283085(v=ws.10).aspx




http://technet.microsoft.com/en-us/library/hh831620.aspx






Create New Virtual Machine, navigate to Action > New > Virtual Machine to launch the “New Virtual Machine Wizard”.

The New Virtual Machine Wizard helps you deploy Sophos Firewall Manager Virtual Appliance, click Next to continue.

Specify a name for the virtual machine.

By default, Sophos Firewall Manager Virtual Appliance is stored on the default folder

configured for the host server. Click “Store the virtual machine in a different location” if

you wish to store the virtual machine at a different location.



Assign vRAM to be used by the virtual machine

Select the Virtual Network Interface from the list.



Select “Use an existing virtual hard disk” to browse to the folder containing Sophos Firewall Manager Virtual Appliance Disk file titled ‘<PRIMARY-DISK.vhd> .



Click Open to open the selected .vhd file.



Click Next to continue to the next step, verify the selected deployment options and click Finish to start the deployment process.

This installs Sophos Firewall Manager Virtual Appliance on your machine.



Attach Auxiliary Disk to the Virtual Machine: before you power on the deployed Sophos Firewall Manager Virtual Appliance, you need to attach the Auxiliary Disk to the virtual machine. Select the newly deployed virtual machine i.e. Sophos Firewall Manager Virtual Appliance

from Microsoft Hyper-V Manager and go to Action > Settings to attach the Auxiliary Disk with the virtual machine.

Go to Hardware > IDE Controller 1 > DVD Drive. You need to remove the “DVD Drive”

to be able to attach Auxiliary Disk to the virtual machine.



Click Remove to remove the “DVD Drive” from “IDE Controller 1” section. You need to

add a “Hard Drive” under “IDE Controller 1” section to be able to mount the Auxiliary

Disk.

Go to Hardware > IDE Controller > Hard Drive and click Add.

You can now mount the Auxiliary Disk VHD file to the newly created Hard Drive. To do

so, go to Hardware > IDE Controller 1 > Hard Drive > Media. Select ‘Virtual hard disk

(.vhd) file’ and click Browse to select the complete path to the AUXILIARY-Disk.vhd file.



Notes:

While attaching the ‘Primary Disk’ to the Virtual Machine, it is mandatory to use following configurations, else the Sophos Firewall Manager Virtual Appliance goes into “KERNEL

PANIC” mode: Select ‘Controller’ as “IDE Controller 0” and ‘Location’ as “0 (in use)” While attaching the ‘Auxiliary Disk’ to the Virtual Machine, it is mandatory to use following

configurations, else the Sophos Firewall Manager Virtual Security Appliance goes into

“FAILSAFE MODE”. Select ‘Controller’ as “IDE Controller 1” and ‘Location’ as “0 (in use)”

Select the Auxiliary Disk titled AUXILIARY-DISK.vhd, .Click Open to continue.



Configure Virtual Network Interfaces

Prerequisite:

It is mandatory to configure at least Four Virtual Network Interfaces. To configure vNICs, go to Hardware > Add Hardware and select the Virtual Network Interface type from available options. Click Add to continue.

For demonstration purpose, we are adding a Network Adaptor.

This adds a Network Adapter to the Virtual Machine.

You can now configure the newly added Virtual Network Adapter as LAN/WAN/DMZ port. Go to Hardware > Network Adapter > Network and select

any port you wish to configure to the selected Network Adapter.



Click OK to configure the selected port to the Network Adapter. Repeat the same procedure to configure at least 3 Virtual Network Interfaces to the Sophos Firewall Manager Virtual Security Appliance.

Connect to the Sophos Firewall Manager Virtual Appliance. Right click the deployed Sophos

Firewall Manager Virtual Appliance from the Microsoft Hyper-V Manager and click Connect to connect to the Virtual Machine. You will come across the following screen:

Click Start icon to Power on the Sophos Firewall Manager Virtual Appliance.



Enter the administrator password i.e. ‘admin’ to continue to the Main Menu of the Sophos Firewall Manager Virtual Appliance.

To increase the Auxiliary disk size from 160 GB to 500 GB turn off the SFM device.



Then go to File > Settings Page open.



Select IDE Controller1 Auxiliary Hard disk and click on edit Tab.

Select Choose action Tab and select Expand to expand the size of disk.



Enter 500 or more can update the size of disk and finish.

You can now start SFM from Start button. You can now setup your device and start using SFM.



First-Time Device setup

A. Activation

a. Open the Web Admin UI from device IP and enter your Serial Number which was sent via email to you and click on Activate Device.

b. You will be redirected to the Sophos End User License Agreement (EULA). You need

to accept the agreement to proceed further.



c. Click I Accept to navigate to the welcome page.

B. Basic Setup

Open the Web Admin UI from device ip and logon using initial credentials admin /admin and click Basic Setup.

Complete the Basic Setup so that device will be able to connect to the Internet for Activation.

Note: To activate device successfully, configure DNS correctly.

C. Device Activation

You should have received an email with the Serial Number on the email address provided while downloading Sophos Firewall Manager.

After Basic Setup is done, enter the Serial Number and click Activate Appliance. Your device will be activated successfully.



D. Device Registration

After activation, click Register Device to register.



E. Synchronize License

After Registration, click Initiate License Synchronization to start license synchronization on the device.



F. Configure Sophos Firewall Manager (SFM)

1. Network Configuration

After License Synchronization, you will see Configure Firewall Manager to

configure your firewall settings.

This will take you to the login screen where you can login using Sophos Firewall Manager default credentials (admin /admin). On login you will land on the Home Dashboard. You can configure basic setup using the Wizard. On the Home Dashboard,

click admin > Wizard to run the Network Configuration Wizard.



Click Start to begin the Wizard and follow the on-screen instructions.

2. Additional Network Setup

Once the wizard is executed successfully you can do the following additional network setup:

Interfaces - Go to System Management > System Settings > Network > Interface. Gateways - Go to System Management > System Settings > Network > WAN Link Manager. DNS settings - Go to System Management > System Settings > Network > DNS.

Static routes - Go to System Management > System Settings > Network > Unicast Route.



Start using Sophos Firewall Manager

A. Understanding the 3 work areas – Device Configuration, Template Configuration &

System Management

On the home dashboard, click the work area selector section, as shown below:

It offers 3 work areas - Device Configuration, Template Configuration and System Management.

The Device Configuration work area allows you to manage policies and configurations of individual or group Sophos Firewall devices.

The Template Configuration work area allows you to create re-usable configuration templates. The System Management work area lets you manage device settings (add device, add device

group, change control, Firewall firmware upgrade), monitoring settings and your SFM

system settings.

B. Add devices to manage

1. Configure Central Management settings on the Sophos Firewall device to be managed, from System > Administration > Central Management (on the SF admin console), as shown in the image below.

2. The request appears in Firewall Manager under Discover in top panel of the Home page. You can view all discovered devices and add the device. You must use the



communication settings specified the in Firewall while adding the device in Firewall Manager.

3. Click to add the device. This will take you to Add Device Wizard.

You must use the same Central Management communication settings as configured in

the Firewall while adding the device in Firewall Manager as shown below:



Note: Alternatively, you can also add a device in from System Management > Device Settings > Managed Devices > Devices, as shown below:

Ensure same settings are applied on Firewall as well.



C. Create Device Group

Create Device Group from System Management > Device Settings > Managed Devices > Device Group based on required grouping criteria.

D. Start Managing Devices

1. Go to Device Configuration. 2. Select the group and filter on view /device to manage. 3. Change Firewall device configuration using the left menu.

E. Templates

Go to Template Configuration. You can add Template by either using configuration of an existing device, cloning an existing

template or creating a fresh template. Change configuration of template as needed.

You can provision template from Template > View Template List by clicking Provision Template.

F. Monitoring

You can click Monitor in the top panel to monitor using the Flat View or Card View for managed devices.

Documents

SFM Getting Started Guide · 2019-03-06 · C. Create Device Group ... While your virtual image is being downloaded, open the mail you received in step 2 asking to activate your account