Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Requirements

The firewall requires licenses and threat feed formats to implement third-party threat feeds.

Licenses

  1. Make sure you have the following licenses:

    1. Sophos Firewall: Xstream Protection Bundle.
    2. Endpoint Protection: Sophos Intercept X if you want Synchronized Security.

    Note

    You can configure third-party threat feeds without the license, but the firewall doesn't implement them. You must have the license to protect your network using third-party threat feeds.

  2. If you want Synchronized Security, do as follows:

    1. In the firewall: Go to the Sophos Central page in the firewall and register the firewall with Sophos Central.
    2. In Sophos Central: Configure Endpoint Protection and lateral movement protection.

      1. To configure Endpoint Protection, see Getting started.
      2. To implement lateral movement protection, see Reject network connections.

Format of threat feeds

Threat feeds must have the following format:

  • Text file format: The threat feed must be a plain text file.
  • One Indicator of Compromise (IoC) per line: Each line must contain a single IoC, such as an IP address, URL, or domain. Don't add any comments or other information.
Example threat feed content
103.140.73.49
103.142.86.221
103.173.155.111
103.46.186.148
104.131.133.129
104.143.77.12
104.143.77.8
104.236.201.22
104.236.202.98

Important

The firewall only evaluates IoCs based on the Indicator type you specify, such as IPv4 address, even if the threat feed contains IPv4 addresses, domains, and URLs.

So, you must add a different configuration for each indicator type per threat feed.

Support for IoC types

IoC type Supported or not supported
IPv4 addresses
URLs
Domains
IPv4 address ranges
IPv6 addresses
Network addresses
Wildcard domains
Regular expressions