Sophos Xg Aws


XG Firewall is provided as a virtualized security appliance that runs on an Amazon EC2 instance and deploys inline into an Amazon Virtual Private Cloud (VPC) to scan traffic entering and leaving.

This information is provided as-is without any guarantees. If you require assistance with your specific AWS environment, contact Sophos Professional Services.

XG Firewall v18 MR4 – Release Notes & News – XG Firewall – Sophos Community. Enhancements in XG Firewall v18 MR4 High Availability. Improved FastPath performance for Active-Passive pairs; HA support in Amazon Web Services using the AWS Transit Gateway (coming soon to the AWS marketplace) Improved high availability setup and upgrades; VPN.

  1. Go to the Sophos AWS Marketplace Product page and choose which listing you want to use.

    XG Firewall is available for standalone deployment using both the BYOL and PAYG licensing methods. Free trial options are available for both license types.

  2. To subscribe to the software terms, click Continue to Subscribe.
  3. Then click Continue to Configuration.
  4. Choose your configuration options. Under Fulfillment Option, select the CloudFormation Template.
  5. Select your AWS region.
  6. Click Launch, which will redirect you to the AWS CloudFormation console.
  7. On the Create stack page, click Next.

    A CloudFormation template is used to simplify the process of deploying XG Firewall into an AWS account. The AWS Marketplace listing page redirects to the AWS CloudFormation console and starts a stack creation in your region of choice, as shown below.

    All senders of parcel mail are required to complete a Canada Post Customs Declaration Form (iAW Canada Post Guide: International Parcel Air/Surface 43-074-172 also known as CP 72) for each parcel which must be attached to the outside of the respective parcel. Canada post air mail international. Canada Post offers 6 international package and parcel services Light Packet - Maximum weight is 500 g. Maximum dimensions are 380 mm × 270 mm × 20 mm. No delivery time guarantee.

  8. On the Specify stack details page, enter a Stack name.

    If you want to use an existing Virtual Private Cloud (VPC), leave the default parameters. If you want to create a new VPC, accept or change the default parameters for AMI ID, EC2 Instance size, Public Subnet Availability Zone, and Network Prefix.

  9. Enter the required parameters such as the trusted network CIDR used to manage XG Firewall, select the pricing option you wish to use (BYOL or PAYG), and enter the SSH key used for shell access to XG Firewall.
  10. If deploying into an existing VPC, enter the VPC ID, an existing public subnet ID, an existing private subnet ID, and choose to have the template create a new Elastic IP (EIP) or utilize an existing available EIP.
  11. Once all information is entered, click Next to continue.
  12. Click Next and then click Create Stack.

    Stack creation normally takes from five to ten minutes. When stack creation is complete, the status changes to CREATE_COMPLETE, as shown below. The Outputs tab shows the EIP assigned to the XG Firewall. After stack creation, the EC2 instance may need additional time to complete startup before it's ready. You can see the status of the EC2 instance in the EC2 Console. You can see details about the EC2 instance, including its physical ID under the Resources tab.

  13. When the EC2 Instance is running, copy the assigned Public IP and use both https and the web admin port to begin initial configuration: https://PublicIPAddress:4444.

    By default, XG Firewall uses a locally-signed certificate so your browser will show a warning message. Once you go past the certificate warning, you see the Welcome to Sophos XG Firewall page.

  14. Click Click to begin at the bottom of the screen.

    You're then prompted to perform basic configuration.

  15. Set a password for the default admin account used to sign in to the XG Firewall.
  16. Configure a firewall name and choose the time zone.
  17. Register your XG Firewall by taking one of the following actions:
    • Enter an existing XG Firewall serial number.
    • Start a 30-day trial (which will automatically generate an XG Firewall serial number).
    • Migrate an existing UTM 9 license.

    If you start a trial, you're redirected to the Sophos XG licensing portal, where a new serial number is generated.

    1. When complete, click Confirm Registration and Evaluation license.
    2. Click Initiate License Synchronization.

      Once the basic setup is complete, the license details are shown.

  18. If you want to configure advanced settings, click Continue. For AWS deployments, you only need to click Skip to finish.
  • To import the connections from your AWS account, do the following: Log in to Sophos UTM WebAdmin. Go to Site-to-site VPN Amazon VPC Setup. In the Import via Amazon credentials section, enter your Amazon access key.
  • This video walks through how to deploy a Sophos XG Firewall on AWS.Click Show More to view video timestamps and related links-.
  • Sophos Advisory: Customers are not able to access any Central Dashboards due to ongoing Microsoft Azure outage. March 15 Sophos Advisory: Central and Enterprise Dashboard - Some customers are unable to add or edit the 'Custom Rules' section within the Federation Login global setting.
  • In Sophos Central, under Global Settings, go to Forensic Snapshots and enable the toggle for Upload forensic snapshot to an AWS S3 bucket. Make a note of the Account ID and External ID. In Amazon Web Services create the IAM Role: From the Amazon Web Services dashboard go to Identity & Access Management listed under Security & Identity.

XG Firewall is now available in the AWS marketplace with two flexible licensing options:

  • Pay-as-you-go (PAYG) license – ideal for short-term use
  • Bring-your-own license (BYOL) – our conventional multi-year term licenses

AWS customers can take full advantage of the many innovations XG Firewall has to offer, like Synchronized Security with Intercept X for Server, the new Xstream Architecture with high-performance TLS 1.3 inspection, and the latest machine learning threat intelligence and sandboxing protection from ransomware and other advanced threats.

Crucially, it enables customers to manage a multi-cloud security strategy from a single cloud console in Sophos Central; including network security with XG Firewall; cloud workload protection with Intercept X for Server; and cloud security posture management with Cloud Optix.

XG Firewall brings full network security and control to AWS integrated into a single solution:

  • Xstream Deep Packet Inspection (DPI)
  • Intrusion Prevention System (IPS)
  • Web filtering, protection and application control
  • AV and AI machine-learning threat protection and sandboxing
  • TLS inspection with native support for TLS 1.3
  • A full-featured Web Application Firewall

In the coming months we will be extending XG Firewall’s integration into AWS with enhancements like auto-scaling, CloudFormation template support, CloudWatch integration and more.


With XG Firewall now available in AWS as well as Microsoft’s Azure public cloud platform, XG Firewall further extends its industry-leading deployment options with support for any combination of cloud, virtual, software, or XG Series hardware appliances. These options make XG Firewall able to fit any network, both now and in the future.

Learn More about XG Firewall protection for your cloud infrastructure.

Sophos Xg Aws Vpn

AwsDeploy sophos xg on aws

Sophos Xg Aws Vpn Bgp

Getting started resources