4

How to Install Sophos XG in Proxmox VE for Lab Environment

* This post may have affiliate links. Please see my disclosure 

Follow this guide to deploy Sophos XG in Proxmox V2

Proxmox VE has been around for quite some time and has become a very popular hypervisor option for home lab enthusiasts like myself. It is an amazing open-source platform that comes fully loaded with top-notch enterprise features. It is free to use with no licensing cost.

There are numerous reasons why I love working with Proxmox. The main criteria that made Proxmox my number 1 choice for hypervisor is that it uses KVM and QEMU. I call this “the conventional approach” for virtualization. Because of that, I knew it would be easy to run VMs without compatibility issues, such as the Sophos XG firewall.

Officially, Sophos does not list Proxmox as one of the supported virtualization platforms. However,  XG for KVM is expected to work on most distro-running KVM. The guest OS is not directly aware of what the host OS of the hypervisor is. Proxmox uses the Linux KVM module as part of its base system to run VMs. In other words, Proxmox meets the technical requirements for XG virtual installer for KVM according to Sophos documentation.

Compatibility with Proxmox

As far as licensing for Sophos support is concerned, I will advise you to reach out to the Sophos sales representatives to confirm if the XG for KVM installation on Proxmox will comply with your support licenses. From a technical perspective, everything is compatible. The official Sophos KVM disk packages installers, which come with two QCOW2 disks, are 100% compatible and work fine on Proxmox.

I strongly advise you to clarify the licensing requirement to guarantee support coverage if you decide to deploy this VM for production use.

For my use case, not having support is not much of an issue since I only use this installation for a lab environment. For me, it is not a deal-breaker.

I was surprised how efficiently the system delivers workloads at a very high density and with little overhead. Indeed, I am not running tons of traffic in my Proxmox server (not even close), but compared with other lab experiences that I had in the past, I would say that I couldn’t be happier running my Sophos lab with Proxmox.

The installation process is pretty straightforward, and I am going to breakdown all the steps for you. As for now, I’m going to assume you already have your Proxmox instance ready to deploy and already downloaded the Sophos XG OS for KVM .zip file containing the QCOW2 disks

Creating the Sophos VM

 

1- General: Create a new machine, add the VM ID and name:

General settings

 

NOTE: Make sure to uncheck the advanced checkbox in the lower right corner. Also, keep a note of the VM ID; we will need this for the QCOW2 file to Proximo later

2- OS: Select “Do not use any media” and hit next:
select the OS

3- System: Leave everything as default, and click next:

system settings

4- Hard Disk:  Also leave all as default; we are going to change this later:

hard disk settings

5- CPU and Memory: For these settings, stick with the minimum required by Sophos. For Sophos XG v18:

. 2 vCPU

. 4GB vRAM

2 CPUs

Memory settings

 

6- Network: Select the interface bridge, in my case, is vmbr0. Uncheck the firewall box, and leave the rest as default:
network proxmox settings

NOTE: XG requires a minimum of two interfaces. However, at this stage of the configuration, Proxmox only allows one interface. Most of the time, “net0” is the LAN, and “net1” is the WAN. I like to assign the bridge (vmbr0) and model (VirtIO) and change it after confirming which interface was served by the bridge DHCP.

 

7- Confirm: Confirm and validate the summary, then hit finish:

confirm Proxmox configuration

 

After a few seconds, your VM will be ready. You can also tweak various virtual hardware configurations.

Adjusting the Sophos XG VM virtual Hardware:

 

Adjusting the Sophos XG VM virtual Hardware

 

1-  Detach the Hard disk:

deatach rte Virtual disk

 

2- Afterwards, the disk will show as unused Disk 0, then click on “Remove”:

remove disk

3- Add the second network interface. For now, I will select vmbr0, but I will change this later:

add second interfaceadd second interface vmbr0

NOTE: Similar to the network interface setting, uncheck the firewall checkbox.

 

Import a QCOW2 Into Proxmox

This is the only stage of the process required to use the command line on the Proxmox host. As for now, Proxmox doesn’t allow copying the QCOW2 files directly into the storage location.

To accomplish the next steps, you need to copy both PRIMARY-DISK.qcow2 and AUXILIARY-DISK.qcow2 into Proxmox.

1- Copy the files: In my case, I used SCP through the client to copy over from my local machine to the Proxmox server host, placing the files on the path /var/lib/vz/template/qemu

Do the same process to both files.

2- Confirmed that both files were successfully copied to the path directory:

both files-LS proxmox CLI

3- Use the import image command to add the QCOW2 disks to the VM ID:

qm importdisk <vmid> PRIMARY-DISK.qcow2 <namestoragepool>

In this example, the id is 109:

qm importdisk 190 PRIMARY-DISK.qcow2 WMs

 

When you hit enter, the system will start the import process. The output will look like this:

importantion of qcow2 disks

Repeat the same process to the AUXILIARY-DISK.qcow2 file and then return to the Proxmox GUI.

 

Finishing the Sophos XG VM Configuration

1-  In the web GUI, you now see that the XG VM has 2 unused disk-0 (Primary) and disk-1 (Auxiliary):

qcow2 disk importated

2- To activate them, you need to double click to edit and then add:

activate disk add

Repeat the same action to disk-1 as well.

 

6- Next, select Options > Boot Order and move the device scsi0 vm-109-disk-0 to the #1 in the order list. Hit OK and then start the XG VM.

select disk-0 under options

 

Start the XG VM for the First Time

After this stage, the system will loads up for the first time, and you should be able to see the system details:

Sophos XG VM installation completed

Enter the default password “admin”, and the license agreement will be prompted afterward. If you agree, hit accept, and the XG VM will be good to go.

Hopefully, your XG VM is assigned an IP via DHCP on the WAN interface, allowing you to access the device via webadmin on port 4444 to complete the registration and final installation tweaks.

 

BONUS: By default, the WAN interface is not allowed to access the device via webadmin. In this case, you need to enable the following command via console:

console change

system appliance_access enable

System appliance_access enable

You will be able to connect the Webadmin to complete the registration:

Sophos XG filre Welcome

 

DISCLAIMER: The only reason I enabled “appliance_access” was to complete the registration and initial configuration via the WAN link, as I did not have any device assigned to the LAN network interface yet. As soon you change the network settings on the LAN and connect the workstation on the same LAN network, you can disable this option by running the command:

system appliance_access disable

NOTE: Once you reboot the XG VM, “appliance_access” will automatically switch back to “disable”, which is the default state.

I hope this was helpful. Let me know if you have any questions in the comments.

Juana Melo

I'm a self-taught security network engineer and blogger, sharing everything I'm learning along the way.

4 Comments

  1. Having an issue where I’m not getting a WAN from my modem. Do you think Proxmox is trying to pickup the one public IP Comcast is going to hand me?

    • Does your proxmox server only have one NIC port?if the answer is yes, and the modem has DHCP, most likely the host server itself is taking the IP that the ISP is providing you. If you want to use Sophos as the main router, try to get add extra NIC to your host server to be the WAN port of the XG VM.

  2. You’re amazing. Thank you for posting this extremely comprehensive and easy to follow guide.

Leave a Reply

Your email address will not be published. Required fields are marked *