Sophos XG Firewall on Hyper-v

The Sophos XG Firewall is a powerful and advanced NextGen Firewall. It works well in virtualized environment. You can find more info about Sophos XG Firewall here

The XG firewall run on Hyper-v as a Gen 1 VM, it supports VLAN in access or trunk mode and VMQ. You can use up to 8 net adapters. If you need more, you can use VLAN trunking to create more net adapters.

There are 2 ways to create an XG Firewall. You can use the ready to use VHD files or you can install it from the ISO. 
Only the first method is described in this post.

First, we need to design the network. We need at least 3 net adapters, one for the admin network used for the first setup, one for the wan connection and one for LAN connection.

The first one is used during the setup to configure the firewall. It must be on a separate network, you will need to use 172.16.16.0/24 and you must be able to open a web browser to this network.

The WAN adapter must be bound to a virtual switch with internet access. It’s important that the firewall can access the Internet during Setup as it’s used to register the device.

The LAN adapter can be bound to any virtual switch and configured as you need. But remember, hyper-v default VM net adapter do not allow to have multiple MAC on a port, so you will have to disable this option.

Be aware the order of the net adapter is important. The first net adapter (eth0) will be used for the initial setup and the second for external access.

Let’s start,

#this script setup a new XG Firewall
#this is the Hyper-v Server used to run the virtual Firewall
$ComputerName = "MyHyperVServer"
#the name of the virtual firewall VM
$vmname = "MyNewFirewal"

 #the Ram of the firewall, from 1Gb to unlimited 
$ram = 6GB
#the number of vCpu, from 1 to unlimited check your licence
$vmproc = 4

#the path of the VM on the Hyper-V server

$path = "e:\xfSophosFirewall"



#Names of the virtual switch used in this example
#the admin vSwitch used for initial setup and later for admin
$vswitchadmin = "admin"
#The virtual Switch used for external access during the setup and later
$vswtichwan = "Wan"
#the virtual switch used for internal network
$vswitchlan = "lan"

#the Path of the 2 VHD
$fwPRIMARYVhd = "$path\PRIMARY-DISK.vhd"
$fwAUXILIARYVhd = "$path\AUXILIARY-DISK.vhd"

#create the VM
New-VM -Verbose -name $vmname -MemoryStartupBytes  $ram  -Generation 1  -Path $path  -ComputerName $ComputerName
#Setup vm processor
 Set-VMProcessor  -Count $vmProc -VMName $vmname -ComputerName $ComputerName 

#remove all net interface 
Get-VMNetworkAdapter -VMName $vmname -ComputerName $ComputerName | Remove-VMNetworkAdapter

# add the 2 harddrive to the newly vm
Add-VMHardDiskDrive -path $fwPRIMARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0
Add-VMHardDiskDrive -path $fwAUXILIARYVhd -vmname $vmname -ComputerName $ComputerName -ControllerType IDE -ControllerNumber 0

# Admin setup interface 
# I use a vlan, but you can also use a dedicaded network
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchadmin -Name setup 

#Add the wan interface, on the 
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswtichwan -Name wan
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName wan -access -vlanID 5 -computername $ComputerName

#add the lan interface. It's a trunk interface with a default vlan
Add-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -SwitchName $vswitchlan -Name lan
Set-VMNetworkAdapter -ComputerName $ComputerName -VMName $vmname -Name lan  -MacAddressSpoofing On
Set-VMNetworkAdaptervlan -vmname $vmname -VMNetworkAdapterName lan -Trunk -AllowedVlanIdList "6,7" -NativeVlanId 10

After the setup, you should change the admin/setup IP address to fit your admin network. If you forget this step, you may fail to setup another XG Firewall on the same network as 2 devices will have the same IP 172.16.16.16.

You can also find the script here