Manage third-party threat feeds
You can view and manage third-party threat feeds, threat indicators, and storage quota.
Third-party threat feeds summary
Under Summary, you can see the counters for Active feeds, Total threat indicators, and Storage quota.
You can click Refresh to update the counters manually.
Active feeds
Shows the active and total number of configured threat feeds.
Total threat indicators
Shows the total number of indicators and the number of indicators configured in IP addresses, domains, and URLs.
Storage quota
Shows the used and available percentage of the allocated storage for third-party threat feeds. The available storage depends on the RAM and disk space per device model. For example, the storage of 1U and 2U models, such as XGS 2100 and XGS 5500, is higher than desktop series models, such as XGS 107(w), because they have more RAM and disk space.
If the storage quota is full, the firewall continues to update the Indicators of Compromise (IoC) based on the configured polling interval and verifies storage availability.
View threat indicators
To view the configured threat indicators, do as follows:
- Click Threat indicators.
-
Under Threat feed, select the threat feed that you want to view.
The firewall shows the threat indicators for the selected threat feed.
-
Optional: You can also search a specific threat indicator on the search box.
- Click Close.
Manage third-party threat feeds
Under the Total indicators column, you can click on the threat count to go to Threat indicators and view the threat indicators.
Under the Sync status column, you can see the synchronization status of the threat feed.
Under the Manage column, you can click Synchronize now to manually synchronize a threat feed. You can also turn on or off, edit, and delete a threat feed.
Synchronization status
The following table shows the synchronization statuses and its possible causes.
Sync status | Description |
---|---|
Success | Connection or GET request to external URL is successful. |
Authentication error | API authentication failed. Possible causes: Username password is incorrect. SSL Handshake error. |
Connection error | Any other failure. Possible causes: File error Server error HTTP errors such as 500, 404, and 302. |
Disabled | The rule is disabled. |
Storage full | The storage is full. |
Fetching | File download is in progress. |
SSL/TLS error | SSL/TLS certificate issue. |
Failed | Threat feed update failed. |
Exclusions and logs
- To exclude hosts, networks, IP addresses, domains, or URLs from being checked, click Add threat exclusions. See Add threat exclusions.
- To go to the Active threat response logs in Log viewer, click Logs.
How to use the logs
- Go to Log viewer, and select Active threat response to see the blocked threats.
- If you have Synchronized Security, you can see additional information, such as the user, host, and process that accessed the IoC. See Logging.
Import, export, and API
You can import, export, or use the API for third-party threat feeds settings. Threat feed database isn't included.
You can import, export, or use the API for threat exclusions. The firewall group's threat exclusions in Sophos Central are synchronized when firewalls are added to a firewall group. You don't need to configure these manually.