Sophos Firewall as Virtual Machine on Proxmox

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we'll install and configure sofus firewall as virtual machine on prox MOX V I'll demonstrate as well a basic network setup with sofus firewall managing the network traffic first thing we need to do is to go to self.com website to sign up for a free trial and download the firmware just type ss.com in your web browser and this main page click services and products under Network click sofus firewall click free trial this trial is good for 30 days we just need to fill out this form I use my Gmail account in here agree to the terms and click submit the evaluation serial number will be sent over to the email address and in my case to my Gmail account we'll check this out later since we are installing this on proxmox we can go ahead and download the KVM installer the KVM installer is a zip file so we need to extract this once this is done going to my Gmail account we can find the provided evaluation serial number in here which will be used for registration in this email we have instructions in setting up the firewall one thing to take note here is that sofos firewall by default will utilize Port one for land and Port two for wi as I've highlighted the stops below so make sure when configuring the network interfaces of this VM Port one should go to land and Port two should go to when here is the extracted folder from the KVM installer zip file Sav in my local computer the folder contains two files namely primary and auxiliary dis with a qow two file extension name I attempted to upload the primary file in hoping it would be the same process that I normally do when uploading an ISO file but unable to do so the upload button is grayed out and there's an error saying wrong file extension it appeared proxmox supports uploading an ISO file extension and not a qal 2 file extension to upload this qcal 2 files we'll go through some process here let us access Eli by clicking node and select shell I'm issuing a df- KH command to display the mounted directories I have a USB flash dis detected as /d/ sda1 and the mounted directory is/ MNT slpv sliso files this is where all my ISO files are being uploaded into and I wanted to use this also to store the qal 2 files but in a different directory so I need to create a new directory under ISO files to where I can send the qal two files over to get to the ISO files directory I'm issuing the this change directory command cd/ mn/ pv/ isocore files we can list all the contents of this directory by typing the ls command now I'll create a new directory with the command mkd and name it qow I'll issue the ls command again to verify and qow directory has indeed been created how can we transfer this qal 2 files from my local Windows 11 machine machine to the newly created directory in proxmox we'll use SCP which is included as part of Windows 11 installation in file explorer type CMD in the address bar and press enter this will redirect to the command prom window in the same location where the files are the first command is SCP followed by asterisk which is a wild card meaning any files in the current directory proxmox user root at 192.168 18250 the IP address of proxmox colum Then followed by the full pa/ MNT slpv sliso files SL qow there is an authenticity warning but we'll continue anyways by entering yes I must have typed it incorrectly and it ask again I entered yes correctly this time and will enter the root password word of proxmox looks like it's done transferring the files back to Shell CD into qal directory and type LS command to verify the files we have confirmation that the two files have been uploaded successfully into prox M now it's time to create this VM I'll name this VM as s FW FW short for firewall under OS we Gana select do not use any media since we'll not be using an ISO file for this installation we'll leave the guest OS Di and version as it is under system we'll leave everything here as the default under diss we'll just go to the next here since we are going to delete this anyway and replace it with the qal to dis files under CPU I'll set this to four cores for the type I'll select host to make the CPU type same as the hardware CPU under memory I'll set this to 8 gig under Network I'll leave it as it is as we'll make some changes on this one later finish the confirm take note of this vmid D16 and we'll use this later when importing the qal 2 diss we'll go to the hardware section of this VM select hard disk we'll be removing this dis by clicking the attach button are you sure you want to detach this disc select yes so this is now an unused dis select it and click remove choose yes to confirm that we want to remove it completely how can we add then the qal to disk files to this VM let us get back to Shell and go to that directory where the qal two files are we'll issue the df- KH command to remind us what directory we should go into we'll CD into SL mn/ PVE isore files issue the ls to list all the directories or files remember that we place the Q 2 files into qow directory we'll CD into qow and issue LS again we are now in the correct directory where the two qow two files are located we'll issue the command qm import disk VM id16 then the primary dis file name just type PRI and use the Tab Key to autoc complete it local-lvm which is the local storage the command is complete just press enter to execute primary dis has been successfully imported we'll do the same command for the auxiliary dis file qm import disk BM id16 the file name auxiliary disk just use Tab Key to autoc complete local-lvm the auxiliary disc is also successfully imported we'll jump back now to the VM Hardware section we now have two unused diss we'll double click dis zero first select right back for cash check discard and click add we'll do the same for unused dis one next step is setting up the network adapter we have one network device here Net Zero and it's linked to vmbr0 is this enough to set up the sest firewall no we need at least two interfaces one for land and second for w allow me to illustrate what I'm going to set up in here this is my Mini PC Hardware running prox boox with management ip1 192.168 18250 it has one physical ethernet port named emp1 s0 by default and it is physically cable to a router with Gateway 192.168 18.1 I have a physical PC running Windows 11 managing prox MOX on the same2 .688 X Network this emp1 s0 port is linked to vmbr0 which think of this as a virtual switch you may watch my video about installing pfSense VM where I discuss this in details refer to the link in the description in sofus far will VM the first interface not zero here will be the land side this IP address 17261 16.16 is the default Auto assigned once this firewall is up and running this IP will be used for managing the firewall Net Zero is linked to VM br1 which is another virtual switch I have a Windows 11 VM in here a net zero of this VM will be link to VM br1 from this Windows 11 VM we'll be managing selfless fireable on 17216 16.16 for the second interface net one this will be used for for the way side connection net1 will be linked to vmbr0 net1 will obtain a DHCP IP address in the 192.168 a.x range provided by the router please note that this is just a simulated win as this network 1 192.168 180/24 is still behind the land side of the router back in self firewall VM Hardware settings edit the first interface Net Zero and change this from vmbr0 to vm1 let me show you where this vm1 is created at let us go to the node and under system click Network I already have VM br1 in here which I created back in my pfSense video to create a virtual switch click create and select Linux bridge then you can follow the vmb naming scheme I have a total of three virtual switch here vmbr0 vmb br1 and VM br2 vmbr0 is linked to the physical Port Ian P1 s0 by default both vmbr0 and Ian P1 s0 are autocreated in proxmox vmb brr1 has no association to the physical Port same goes with VM br2 back in the sofa firewall VM Hardware settings we already configured the first interface net zero for the landan connection we'll be adding a second Network device and Link this to vmbr0 for the WN connection we now have two network interfaces first Net Zero is linked to vmb br1 for the landan second net one is linked to vmbr0 for the W let is verify in the illustration here net one is linked to vmbr0 for the wi a net zero is linked to VM br1 for the land before we start this VM we need to change the boot option edit the boot order uncheck ide2 and Net Zero and check the box next to cussy Z which is the primary dis and click okay I'm going to start this VM Now by a console by clicking start now button looks like it completed the first boot successfully and we have a system detail in here and a password prompt we'll now boot up Windows 11 VM so that we can access the web management of this firewall let us make sure Net Zero of this Windows 11 VM is linked to VM br1 let us start this BM [Music] then opening network and internet settings and clicking ethernet we can confirm that this VM has obtained an IP address via DHCP with ipv4 address of 17216 [Music] do617 let us open edge browser and access the firewall web management by typing https colum for/ 17216 16.16 col 4444 where getting your connection isn't private because of self-signed certificate from the firewall we'll click advance and continue all right we got the welcome to self firable page here check the box to accept the terms and click Start setup first to setup is creating a new admin password I'll uncheck install the latest firmware for now and click continue create a storage master key this is for added protection securing the stored account and password in the firewall check the box that you have stored the master key in a secured location click continue next is to name the firewall and select the correct time zone next is to register the firewall enter in here the evaluation serial number that was provided to us from the email earlier next step is to claim the firewall which requires a sofware central account you can sign up for sofware Central account for free trial as well I already have one creaded I'll click on claim and Sol for Central enter the email address that you use to sign up for sof a central account enter the verification code this verification code is set up when signing up for a sofa Central account claim this Faro with 30 days extreme protection web server protection and email protection evaluation license once claiming is done in selfa central we have this list of evaluation licenses or subscriptions activated for 30 days this includes the base firewall for stateful firewall VPN wireless network workor protection for IPs and other stuff here web protection web Security application control web malware protection zero day protection Central orchestration email protection web server protection looks like we have a lot of features we can play and test on this firewall next is to set up land port a is by default designated for land port a is the first network interface in VM this is net zero we leave this Gateway in route mode I'll leave the IP addressing as it is with DHCP enabled we can check these boxes to enable protection but I'll leave it unchecked for now next is to set up an email address for sending notifications and backups I do want to set up configuration back up for now fill out an email address in here for sending notifications we have reached the configuration summary and we'll just click finish in here it's applying the configuration and the firewall will restart after firewall has restarted we are now prompted to log in username here will be admin we are now in the main dashboard we have a popup message saying we can use sofa Central to manage the firewall we'll select no for now let us go to rules and policies this is where we can find the firewall rules I'll click this default firewall rule to take a look what is configured in here we can see the rule name in here and action is accept Source zone is Lan Source network is any destination zone is when going to the internet destination network is any there is an option to add web policy apply web category traffic shaping block quick protocol scan HTTP and decrypt https use zero day protection scan FTP for malware there is also security features to add app application control traffic shaping and IPS scan email content as well there are so many type of protections and features we can enable inside this far I'll cancel out of this we not change any settings for now let's see if this Windows 11 BM which is on the land Zone can get to the internet I'll open a new tab in here and go to google.com sure surely this Windows 11 can get to the internet to prove that it's the firew rule that is allowing the traffic I'll turn off this default firew Rule and L us test switch this button from on to off the firew rule that we just turned off is now grayed out let's see if we can still reach google.com trying to refresh the page here looks like it's not connecting now to google.com I'll open a new tab and try again google.com after some time time it says it can't reach the page turning on this default firewall rule will allow the web browsing back again now I'll add server 2022 into this network setup and place this in the DMZ We'll add a virtual switch VM VR2 we need to add a third network adapter on this sofus firew VM which will be net 2 and it will be connected to vm2 [Music] server 2022 VM Net Zero will connect to VM brr2 this will be our [Music] DMZ Network address on this DMZ is 10.10.10 d024 we'll assign a IP address of 1010101 on this net 2 interface there are two things that I wanted to achieve here first a wanted server 2022 which is in the DMZ Zone to be allowed to access the internet second I wanted this Windows 11 VM to be allowed to access server 2022 going now to server 2022 VM Hardware settings ensure Net Zero is linked to vmd2 and S far VM will add another Network device and Link this to VM br2 for the DMZ back to Windows 11 pm where we are managing self fir web admin go to network under interfaces we have port a and Port B Port A is for the land Zone with the assigned ip1 17216 16.16 Port B is for the wzone with a DHCP acquired ip1 192.168 18113 it appeared adding a network adapter in the VM while the VM is still powered word on does not reflect right away in the web admin if we go to self as firewall VM console it still shows two for the total number of interfaces after rebooting the VM we have now a total number of three interfaces we just need to refresh the browser here log in Back to the admin go to network we have now a third interface Port C which is Unbound to configure this interface for DMZ just click on Port C select DMZ for the network Zone assign a static IP of 10.10.10 10.1 with sl24 submit mask as plan save the configuration and update the interface Port C is assigned now to the DMZ the status is connected with IP address 1010101 next set up DHCP for the DMZ Network go to DHCP we have a default DHC for the landan port a We'll add another DHCP server for the DMZ I'll just name it sdmz select interface Port C for the pool I'll start at 1010101 100 and ending IP at 1010 do1200 I'll leave use the interface IPS Gateway checked which is 10.10.10 one I'll leave the DNS IP same as the Gateway IP then click save this DHCP server for DMZ on portc with pool of IP addresses is enabled now let's start this server 2022 VM looks like it detected a network I'll click yes here the network icon at the bottom right says no internet access though when examining the network connection details it appears this VM obtained an IP address via DHCP of 1010101 100 Gateway is also correct pointing to 1010101 same with the DNS IP when going to google.com it does not load the page what do you think is missing in here is it the faral rule let us check the faral rules then by going to rules and policies we have a group in here and let us expand this under traffic to when the firew rule is grayed out or turned off under traffic to DMZ it is also turned off same goes for traffic to internal zones there are only two enabled firewall rules in here the first one with the name Auto added firewall policy for MTA is for SMTP and smtps or email traffic the second enabled firewall rule is for traffic from Land Zone to destination W Zone and any service any service means any ports or protocols including cluding HTTP https DNS icmp Etc we can conclude there is no far wooo matching a traffic from DMZ going to W we'll go ahead and create a new firewall rule I'll enter DMZ for the rule name action is accept by default for rule position I'll place this at the top I don't want this to be under a rule group select none for Source Zone select DMZ leave this to any for the source networks and devices for Destination Zone select when for Destination Network leave it as any for services leave this to any as well then click save here is the firw rule that I named DMZ at the very top this rule again is for traffic coming from Source Zone DMZ to destination Zone when and any service let us go back to server 2022 and verify if it can reach google.com this time or not still can't access Google's page and it says DNS address could not be found we can see there are some traffic usage on this DMZ f rule which means it's matching this rule I'll open command prompt here in server 2022 and triping in google.com it is not resolving to an IP address it must be a DNS issue then going to Administration and device access for DMZ DNS is unchecked however DNS is checked for land let us check this DNS box for the DMZ and click apply going back to server 2022 VM and re-entering google.com the page is now reachable and the command prompt google.com is pingable with a resolvable IP we have achieved the first goal of allowing This Server 2022 to reach the internet before we jump into the second goal which is to allow Windows 11 VM in the land to reach server 2022 in the DMZ let me update this network topology first 17216 16.17 from Windows 11 will be allowed to reach server on 1010101 100 we'll just test the connectivity via the Ping command in Windows 11 VM let us now try to Ping 1010101 100 it is timing out 100% loss the firewall must have dropped the traffic since there is no rule for it in rules and policies we'll add a new rule in here I'll name this land to DMZ I'll put this rule at the top position rule group will be none for Now the default action is accept which means allow or pass or the source Zone will select land for the source networks and devices leave it as any for the destination Zone select DMZ I leave any for both destination networks and services then save land to DMZ firewall rule is now configured this rule means any network coming from Land going to any network at the DMZ with any service will be allowed let's try to p again and still getting Ed out let us examine device access if ping is allowed go to Administration and click device access tab for landan Ping is checked for DmC it is not we'll check this box then to allow ping then apply and [Music] okay let's do the Ping test again the Ping is still getting timed out I suspect that server 2022 is not allowing icmp let's try to Ping it from the firewall itself go to Diagnostics under Tools go to the Ping section in here enter the server 2022 IP 10.10.10 100 select interface Port C and click ping it is not reachable as well 100% packet loss we can say it must be the server itself not accepting icmp we'll go to server 2022 and add a rule that will allow icmp inbound open server manager under Tools and look for Windows Defender far with Advanced security we'll be creating a new rule under inbound rules we'll select custom rule select all programs for protocol type select icmpv4 leave the local and remote IP addresses to any and sure to select allow the connection I'll leave it as it is naming this rule allow icmp and click finish going back now to Windows 11 VM and verify whether ping can reach the server or not this time it is reachable so we have achieve our second goal that Windows 11 VM can reach server 2022 thanks for for staying with me if you have reached this far off this video if this is helpful in any way kindly consider subscribing in the next video I'll probably virtualize another firewall or if not install gns3 VM until then take care and see you on the next video
Info
Channel: Practical Kri
Views: 1,282
Rating: undefined out of 5
Keywords: virtualizing sophos firewall, how to virtualize sophos firewall, virtualizing sophos firewall on proxmox, installing sophos firewall on proxmox, guide for virtualizing sophos firewall, sophos firewall as virtual machine on proxmox
Id: 86xl2c-S9vc
Channel Id: undefined
Length: 34min 46sec (2086 seconds)
Published: Fri Apr 05 2024
Related Videos
Don’t run Proxmox without these settings!
Christian Lempa
136K
You NEED a firewall
Jim's Garage
11K
Sophos Firewall Home Edition V20 - A Free NGFW for your Homelab and a XG135 to run it on
JimtheITguy
9.4K
Virtualizing Fortigate firewall on Proxmox
Practical Kri
1K
Connecting Proxmox virtual machines to a physical switch
Practical Kri
1.4K
Massive Botnet Attacking Synology - how to protect your NAS
SpaceRex
96K
How to Configure VLAN in Sophos XG Firewall
CYBERSKY
17K
Proxmox Automation with Proxmox Helper Scripts!
Techno Tim
67K
My Proxmox Home Server Walk-Through: Part 1 (TrueNAS, Portainer, Wireguard)
Hardware Haven
1.1M
Learn vLANs, Subnets, and NAT to Improve Your Network Security
Jim's Garage
12K
Keep Hackers Out with Crowdsec Now!
Jim's Garage
16K
OPNSense: Protect Your Home LAN With a Transparent Filtering Bridge with Step by Step Instructions
Dave's Garage
547K
How to Virtualize Your Home Router / Firewall Using pfSense
Techno Tim
279K
Software-Defined Network (SDN) Setup in Proxmox
DB Tech
12K
build your own cloud
NetworkChuck
1.8M
Virtualize pfsense on Proxmox
Practical Kri
4.4K
How to Build a Firewall
Jim's Garage
13K
You're running Pi-Hole wrong! Setting up your own Recursive DNS Server!
Craft Computing
1.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.