Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-manage-third-party-threat-feeds

Manage third-party threat feeds

You can see the storage quota available for threat feeds. You can also see the synchronization errors that may occur when the firewall tries to update the list of Indicators of Compromise (IoCs) from a threat feed.

You can also see the IoCs in a feed.

Summary

  • Go to Active threat response > Third-party threat feeds and see the counters for the following information:

    • Active feeds: The number of active feeds and the total configured feeds.
    • Total threat indicators: The number of IPv4 addresses, domains, and URLs.

    • Storage quota: Disk space used. The allotted space depends on the firewall model. Larger appliances have more disk space than the desktop models. For more information, see Storage limit for third-party threat feeds.

      Even if storage is full, the firewall gets the IoCs at the configured polling interval. It then updates its list if disk space becomes available.

  • Click Refresh to manually update the latest count.

Summary of third-party threat feeds.

See threat indicators

You can search for individual IoCs in a threat feed using the following options:

  • Click Threat indicators under the top menu.
  • Under Total indicators in the threat feed list, click the number for a feed.

Search for individual threat indicators.

Synchronization of feeds

  • Under the Sync status column, see the synchronization status of the threat feed.
  • Under the Manage column, click Synchronize now Synchronize button. to manually synchronize a threat feed. Feeds are automatically synchronized at the polling interval you configure for each.
  • You can turn on or off, edit, and delete a threat feed.

Synchronization statuses

See the synchronization statuses and errors.

Sync status Causes
Authentication error

API authentication failed. Possible causes:

  • Username or password is incorrect.
  • TLS handshake error.
Connection error

Possible causes:

  • Internet connectivity issue.
  • Threat feed's server error.
  • HTTP errors, such as 500, 404, and 302.
Disabled The rule is turned off.
Storage full

The storage is full.

If the firewall doesn't have enough space to store the full list, it shows this error. Desktop firewall appliances may not have enough disk space to store a large threat feed.
SSL/TLS error SSL/TLS certificate issue. See Troubleshoot Active threat response.
Failed Invalid file and other errors. See Troubleshoot Active threat response.
Success Connection or GET request to external URL is successful.
Fetching File download is in progress.

More resources