Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

How the modules work

Threat feeds contain lists of IP addresses, domains, and URLs, which are Indicators of Compromise (IoCs).

Based on the IoC type, the firewall (firewall rules), DNS, and IPS modules enable the firewall to identify the IoC and take action.

Firewall modules

The firewall blocks threats through the following modules:

Malicious traffic Traffic type Module
IP addresses Traffic to or from IPv4 addresses. Firewall
Domains and URLs DNS requests when the firewall acts as the DNS server. DNS
Domains and URLs DNS requests to other servers. IPS
Domains and URLs Encrypted and decrypted HTTPS

IPS (for DPI engine, using SSL/TLS inspection rules)

Web (for Web proxy)

Security Heartbeat

Synchronized Security supports MDR, Sophos X-Ops, and third-party threat feeds. Active threat response implements the Security Heartbeat if you configured the settings in the firewall rules.

Blocks compromised endpoints' traffic

If you have Security Heartbeat configured, Sophos-managed endpoints that try to communicate with a malicious server send a red Security Heartbeat.

The firewall automatically identifies these endpoints and blocks their traffic. It also shows the IoC, host, user, and process information for these endpoints in the logs. See Endpoint threat details.

Isolates compromised endpoints

Lateral movement protection isolates the compromised endpoint, preventing attackers from moving laterally within the network.

More resources