Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-implement-feeds

How the firewall implements active threat response

The firewall first implements MDR threat feeds, followed by Sophos X-Ops and third-party threat feeds.

If an IoC exists in all the threat feeds, the firewall takes action based on the following options you select:

  • Log and drop: Drops the traffic, logs the event under MDR, and doesn't check the other threat feeds.
  • Log only or Monitor: Logs individual events for MDR, Sophos X-Ops, and third-party threat feeds.

Note

Go to System services > Log settings and make sure logs for Active threat response are turned on.

More resources