Skip to content

MDR threat feeds

Sophos Managed Detection and Response (MDR) service is integrated with the firewall. MDR threat feeds enable Sophos MDR analysts to push real-time threat feeds based on network traffic related to malicious servers.

The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in the MDR threat feeds. The action doesn't need you to configure other rules and policies for the threat feeds.

MDR threat feeds network diagram.

The firewall blocks threats through the following modules:

Malicious traffic Traffic type Module
IP addresses Traffic to or from IPv4 addresses. Firewall
Domains and URLs DNS requests when the firewall acts as the DNS server. DNS
Domains and URLs DNS requests to other servers. IPS
Domains and URLs Encrypted and decrypted HTTPS

IPS (for DPI engine, involving SSL/TLS inspection rules)

Web (for Web proxy)


If you have Synchronized Security, the firewall automatically identifies any Sophos-managed endpoints that may be compromised (attempting to communicate with a malicious server) based on a red Security Heartbeat. It queries the device for additional information, such as the host, user, and process, which helps you determine any Indicators of Compromise (IoC).


  1. Ensure you have the following licenses:

    1. Sophos Firewall: Xstream Protection Bundle
    2. Sophos Central: Sophos MDR
    3. Endpoint Protection: Sophos Intercept X if you want Synchronized Security.
  2. Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.

  3. Configure Sophos MDR. See MDR setup.
  4. If you want Synchronized Security, do as follows in Sophos Central:

    1. To configure Endpoint Protection, see Getting started.
    2. To implement lateral movement protection, see Reject network connections.

Configure MDR in the firewall

You can turn on MDR threat feeds and configure logs and exclusions in the firewall.

Configure MDR threat feeds

  1. Turn on MDR threat feeds for MDR analysts to push the threat feeds to the firewall in real time.
  2. Select the action from the following options:

    • Log only: Only logs the threats.
    • Log and drop: Logs and blocks threats.
  3. Click Apply.

Configure Log settings

To configure log settings, do as follows:

  1. Go to Active threat response > MDR threat feeds.
  2. Click Change the settings.

    It takes you to System services > Log settings.

  3. Under Log settings, make sure MDR and Sophos X-Ops threat feeds is selected for the following:

    1. Local reporting
    2. Central reporting. It appears after you select Send reports and logs to Sophos Central on the Sophos Central page in the firewall.
  4. Click Apply.

Exclusions and logs

  • To exclude an IP address, domain, or URL from being checked, click Add threat exclusions.
  • To go to the Active threat response logs in Log viewer, click Logs.

How to use the logs

  • Go to Log viewer, and select Active threat response to see the blocked threats.
  • If you have Synchronized Security, see the additional information, such as user, host, and process, to take action. See Logging.
  • To ask the MDR analyst about a threat feed, find the audit ID in the logs. They need the ID to identify the feed.

Import, export, and API

You can't import, export, or use API for the following MDR threat feed settings:

  • Turn threat feed on or off.
  • Action

You must configure MDR threat feeds individually for firewalls managed through Sophos Central. You can't import MDR threat feed settings from Sophos Central using Import existing configuration in a new firewall group's initial configuration. Currently, the settings aren't part of the default settings in Sophos Central.

You can import, export, or use API for threat exclusions. The firewall group's threat exclusions in Sophos Central are synchronized when firewalls are added to a firewall group. You don't need to configure these manually.