Requirements
The firewall requires licenses and threat feed formats to implement third-party threat feeds.
Licenses
-
Make sure you have the following licenses:
- Sophos Firewall: Xstream Protection Bundle.
- Endpoint Protection: Sophos Intercept X if you want Synchronized Security.
Note
You can configure third-party threat feeds without the license, but the firewall doesn't implement them. You must have the license to protect your network using third-party threat feeds.
-
If you want Synchronized Security, do as follows:
- In the firewall: Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.
-
In Sophos Central: Configure Endpoint Protection and lateral movement protection.
- To configure Endpoint Protection, see Getting started.
- To implement lateral movement protection, see Reject network connections.
Format of threat feeds
Threat feeds must have the following format:
- Text file format: The threat feed must be a plain text file.
- One Indicator of Compromise (IoC) per line: Each line must contain a single IoC, such as an IP address, URL, or domain. Don't add any comments or other information.
Example threat feed content
103.140.73.49
103.142.86.221
103.173.155.111
103.46.186.148
104.131.133.129
104.143.77.12
104.143.77.8
104.236.201.22
104.236.202.98
Important
The firewall only evaluates IoCs based on the Indicator type you specify, such as IPv4 address, even if the threat feed contains IPv4 addresses, domains, and URLs.
So, you must add a different configuration for each indicator type per threat feed.
Support for IoC types
IoC type | Supported or not supported |
---|---|
IPv4 addresses | |
URLs | |
Domains | |
IPv4 address ranges | |
IPv6 addresses | |
Network addresses | |
Wildcard domains | |
Regular expressions |