* This post may have affiliate links. Please see my disclosure
Follow this guide to deploy Sophos XG in Proxmox V2
Proxmox VE has been around for quite some time and has become a very popular hypervisor option for home lab enthusiasts like myself. It is an amazing open-source platform that comes fully loaded with top-notch enterprise features. It is free to use with no licensing cost.
There are numerous reasons why I love working with Proxmox. The main criteria that made Proxmox my number 1 choice for hypervisor is that it uses KVM and QEMU. I call this “the conventional approach” for virtualization. Because of that, I knew it would be easy to run VMs without compatibility issues, such as the Sophos XG firewall.
Officially, Sophos does not list Proxmox as one of the supported virtualization platforms. However, XG for KVM is expected to work on most distro-running KVM. The guest OS is not directly aware of what the host OS of the hypervisor is. Proxmox uses the Linux KVM module as part of its base system to run VMs. In other words, Proxmox meets the technical requirements for XG virtual installer for KVM according to Sophos documentation.
Compatibility with Proxmox
As far as licensing for Sophos support is concerned, I will advise you to reach out to the Sophos sales representatives to confirm if the XG for KVM installation on Proxmox will comply with your support licenses. From a technical perspective, everything is compatible. The official Sophos KVM disk packages installers, which come with two QCOW2 disks, are 100% compatible and work fine on Proxmox.
I strongly advise you to clarify the licensing requirement to guarantee support coverage if you decide to deploy this VM for production use.
For my use case, not having support is not much of an issue since I only use this installation for a lab environment. For me, it is not a deal-breaker.
I was surprised how efficiently the system delivers workloads at a very high density and with little overhead. Indeed, I am not running tons of traffic in my Proxmox server (not even close), but compared with other lab experiences that I had in the past, I would say that I couldn’t be happier running my Sophos lab with Proxmox.
The installation process is pretty straightforward, and I am going to breakdown all the steps for you. As for now, I’m going to assume you already have your Proxmox instance ready to deploy and already downloaded the Sophos XG OS for KVM .zip file containing the QCOW2 disks
Creating the Sophos VM
1- General: Create a new machine, add the VM ID and name:
NOTE: Make sure to uncheck the advanced checkbox in the lower right corner. Also, keep a note of the VM ID; we will need this for the QCOW2 file to Proximo later
2- OS: Select “Do not use any media” and hit next:
3- System: Leave everything as default, and click next:
4- Hard Disk: Also leave all as default; we are going to change this later:
5- CPU and Memory: For these settings, stick with the minimum required by Sophos. For Sophos XG v18:
. 2 vCPU
. 4GB vRAM
6- Network: Select the interface bridge, in my case, is vmbr0. Uncheck the firewall box, and leave the rest as default:
NOTE: XG requires a minimum of two interfaces. However, at this stage of the configuration, Proxmox only allows one interface. Most of the time, “net0” is the LAN, and “net1” is the WAN. I like to assign the bridge (vmbr0) and model (VirtIO) and change it after confirming which interface was served by the bridge DHCP.
7- Confirm: Confirm and validate the summary, then hit finish:
After a few seconds, your VM will be ready. You can also tweak various virtual hardware configurations.
Adjusting the Sophos XG VM virtual Hardware:
1- Detach the Hard disk:
2- Afterwards, the disk will show as unused Disk 0, then click on “Remove”:
3- Add the second network interface. For now, I will select vmbr0, but I will change this later:
NOTE: Similar to the network interface setting, uncheck the firewall checkbox.
Import a QCOW2 Into Proxmox
This is the only stage of the process required to use the command line on the Proxmox host. As for now, Proxmox doesn’t allow copying the QCOW2 files directly into the storage location.
To accomplish the next steps, you need to copy both PRIMARY-DISK.qcow2 and AUXILIARY-DISK.qcow2 into Proxmox.
1- Copy the files: In my case, I used SCP through the client to copy over from my local machine to the Proxmox server host, placing the files on the path /var/lib/vz/template/qemu
Do the same process to both files.
2- Confirmed that both files were successfully copied to the path directory:
3- Use the import image command to add the QCOW2 disks to the VM ID:
qm importdisk <vmid> PRIMARY-DISK.qcow2 <namestoragepool>
In this example, the id is 109:
qm importdisk 190 PRIMARY-DISK.qcow2 WMs
When you hit enter, the system will start the import process. The output will look like this:
Repeat the same process to the AUXILIARY-DISK.qcow2 file and then return to the Proxmox GUI.
Finishing the Sophos XG VM Configuration
1- In the web GUI, you now see that the XG VM has 2 unused disk-0 (Primary) and disk-1 (Auxiliary):
2- To activate them, you need to double click to edit and then add:
Repeat the same action to disk-1 as well.
6- Next, select Options > Boot Order and move the device scsi0 vm-109-disk-0 to the #1 in the order list. Hit OK and then start the XG VM.
Start the XG VM for the First Time
After this stage, the system will loads up for the first time, and you should be able to see the system details:
Enter the default password “admin”, and the license agreement will be prompted afterward. If you agree, hit accept, and the XG VM will be good to go.
Hopefully, your XG VM is assigned an IP via DHCP on the WAN interface, allowing you to access the device via webadmin on port 4444 to complete the registration and final installation tweaks.
BONUS: By default, the WAN interface is not allowed to access the device via webadmin. In this case, you need to enable the following command via console:
system appliance_access enable
You will be able to connect the Webadmin to complete the registration:
DISCLAIMER: The only reason I enabled “appliance_access” was to complete the registration and initial configuration via the WAN link, as I did not have any device assigned to the LAN network interface yet. As soon you change the network settings on the LAN and connect the workstation on the same LAN network, you can disable this option by running the command:
system appliance_access disable
NOTE: Once you reboot the XG VM, “appliance_access” will automatically switch back to “disable”, which is the default state.
I hope this was helpful. Let me know if you have any questions in the comments.