Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-configure-third-party-threat-feeds

Configure third-party threat feeds

You can configure third-party threat feeds to add threat intelligence from external threat feed sources to block traffic related to Indicators of Compromise (IoCs).

IoCs are IP addresses, domains, and URLs involved in attacks. The firewall polls the threat feed source at the interval you configure and maintains an updated list of IoCs.

To configure third-party threat feeds, do as follows:

  1. Go to Active threat response > Third-party threat feeds and click Add.
  2. Enter a name.
  3. Optional: Enter a description.

  4. Select an action.

    • Block: Logs and blocks threats.
    • Monitor: Only logs threats.

    The firewall evaluates both Blocked feeds and Monitored feeds in the order shown and logs the first match in both feeds. It blocks traffic based on the first match in the blocked list.

    For more information about logs and log settings, see Logs and alerts for Active threat response.

  5. Select a position.

    • Top: Positions the threat feed at the top of the list.
    • Bottom: Positions the threat feed at the bottom of the list.

  6. Select an indicator type.

    • IPv4 address
    • Domain
    • URL

    Important

    The firewall only evaluates IoCs based on the Indicator type you specify, such as IPv4 address, even if the threat feed contains IPv4 addresses, domains, and URLs.

    So, you must add a different configuration for each indicator type per threat feed.

  7. Enter the external URL where the threat feed file is hosted.

    The file must be a plain-text file with one indicator per line.

    Example threat feed content 
    103.140.73.49
103.142.86.221
103.173.155.111
103.46.186.148
104.131.133.129
104.143.77.12
104.143.77.8
104.236.201.22
104.236.202.98

    Note

    The configuration doesn't support IP address ranges, IPv6 addresses, network addresses, wildcard domains, and regular expressions.

  8. Under Authorization, select the authentication type to authorize the threat feed updates.

    • No authentication

    • API key

      1. Enter the key.
      2. Enter the value. Supports up to 64 characters.

      3. Select where to add the API key.

        • Header
        • Query parameters

    • Basic authentication

      1. Enter the username.
      2. Enter the password. Supports up to 64 characters.

  9. Select Validate server certificate if you want to validate the server certificate.

    If the server uses a public certificate, go to Certificates > Certificate authorities and make sure the server's CA certificate is available on the firewall's CA certificate list.

    If it's a private certificate, upload the CA certificate to the firewall.

  10. Select a polling interval to synchronize the threat feed.

    Note

    XGS 87(w), 88(w), and 107(w) only support 24 hours, 7 days, and 30 days of polling interval options.

  11. Optional: Click Test connection to test the connection.

  12. Click Save.

More resources