How the modules work
Threat feeds contain lists of IP addresses, domains, and URLs, which are Indicators of Compromise (IoCs).
Based on the IoC type, the firewall (firewall rules), DNS, and IPS modules enable the firewall to identify the IoC and take action.
Firewall modules
The firewall blocks threats through the following modules:
Malicious traffic | Traffic type | Module |
---|---|---|
IP addresses | Traffic to or from IPv4 addresses. | Firewall |
Domains and URLs | DNS requests when the firewall acts as the DNS server. | DNS |
Domains and URLs | DNS requests to other servers. | IPS |
Domains and URLs | Encrypted and decrypted HTTPS | IPS (for DPI engine, using SSL/TLS inspection rules) Web (for Web proxy) |
Security Heartbeat
Synchronized Security supports MDR, Sophos X-Ops, and third-party threat feeds. Active threat response implements the Security Heartbeat if you configured the settings in the firewall rules.
Blocks compromised endpoints' traffic
If you have Security Heartbeat configured, Sophos-managed endpoints that try to communicate with a malicious server send a red Security Heartbeat.
The firewall automatically identifies these endpoints and blocks their traffic. It also shows the IoC, host, user, and process information for these endpoints in the logs. See Endpoint threat details.
Isolates compromised endpoints
Lateral movement protection isolates the compromised endpoint, preventing attackers from moving laterally within the network.
More resources