Deploy Sophos Firewall on VMware vCenter

A virtual SFOS (Sophos Firewall Operating System) can run on many hypervisors, including VMware.

In this post, I will show you step by step how to deploy a virtual SFOS on VMware vCenter.

The Process

• Download the ZIP file for the SFOS version you want to deploy from Sophos.

There are two locations where you can download the Sophos firewall files. The first is the Sophos Firewall Installers page, and the second is the Sophos Knowledge Base Article KBA-000007972.

• Extract the ZIP file contents.

Inside the ZIP, there are a few files. The files we care about are sf_virtual_vm8_paravirtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

The sf_virtual_vm8_paravirtual.ovf is the most important because it supports VMXNET 3.

• In VMware vCenter, right-click the cluster or host you want to deploy SFOS to, and click Deploy OVF Template.

• Select Local file and click Upload Files.

The Sophos documentation instructs you to select the manifest file sf_virtual.mf, the OVF file you want to use, and the VMDKs. This process only work if you are using the sf_virtual.ovf OVF file.

If you use the manifest file sf_virtual.mf with any OVF other than sf_virtual.ovf, the vCenter checksum verification will fail, and you can not proceed.

If you open the manifest file sf_virtual.mf with notepad, you see that it only contains the checksums for sf_virtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

This explains why the vCenter checksum verification fails when you select any OVF other than sf_virtual.ovf.

We don’t want to use the OVF sf_virtual.ovf because it uses the Vlance network adapter, which is an emulated version of the AMD 79C970 PCnet32 LANCE NIC, a 10 Mbps NIC.

To get around this issue, we will skip selecting the manifest file sf_virtual.mf.

• Select sf_virtual_vm8_paravirtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk, then click Open.

• Click Next.

• Give the VM a name that will be displayed in vCenter, select where you want the SFOS VM deployed in your vCenter, and click Next.

In my example, I will name it DXT-SF-FW01 and select the location named Datacenter.

• Select the cluster or host where you want to run the SFOS VM, then click Next.

In my example, I will select the G10 cluster.

• Review the details and click Next.

• Select where to store the SFOS VM configuration and disk files, then click Next.

In my example, I will select the storage MSA-DS-Cluster.

• Select the network to use, then click Next.

The SFOS OVF will create 3 network adapters connected to the network you select.

In my example, I will select corp-LAN.

• Review the configuration. If everything looks good, click Finish.

• Wait while vCenter deploys the SFOS VM.

• Once vCenter has completed the deployment, locate it in vCenter and Power On the SFOS VM.

That’s all it takes to deploy a virtual SFOS (Sophos Firewall Operating System) on VMware vCenter.

The next step is to complete the initial SFOS setup, my blog post, Sophos Firewall Initial Setup, goes into detail on the process.

If you want to read more about deploying a virtual SFOS to VMware vCenter, here is the Sophos documentation.