Sophos Firewall Guide

Use this guide to add the Cybora feed to Sophos Firewall using Active Threat Response and third-party threat feeds.

Requirements

  • Sophos Firewall 21.0 or later.
  • Xstream Protection bundle, which Sophos lists as the required license for third-party threat feeds.
  • For domain and URL feeds, make sure the required firewall settings are in place, including the relevant firewall rule, application classification or IPS policy, and HTTPS decryption / SSL/TLS inspection where needed.
  • We also recommend enabling Active Threat Response logging for easier validation and troubleshooting.

Steps

  1. Go to Protect > Active threat response > Third-party threat feeds.

  2. Add a new third-party threat feed.

  3. Enter a name and add your Cybora feed URL.

  4. Select the correct indicator type, such as IPv4 address, Domain, or URL.

  5. Choose the action for matching traffic. You can start with monitoring first if you want to validate the feed before enforcing it. However, we recommend blocking from the start so malicious IPs, domains, or URLs are actively blocked.

  6. Set the polling interval to match your Cybora plan exactly. It is important not to query the feed more often than your plan allows. Only one request is permitted within the allowed interval, and excessive polling may cause the feed to be blocked.

  7. Save the feed and assign it to the relevant policy or rule set where required.

Version note

On Sophos Firewall 21.x, Active Threat Response does not match the source IP address for some inbound traffic types, including DNAT and WAF traffic.

Starting with Sophos Firewall 22.0, Sophos documents source IP matching for inbound forwarded traffic such as DNAT and WAF. This improves threat feed coverage for these scenarios.

Further reading

Validation

Confirm that the feed syncs successfully and that matches appear in the Active Threat Response logs. If you use domain or URL feeds over HTTPS, also verify that decryption and the required rule settings are configured correctly so the firewall can identify the traffic as expected.

Back to Home