Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=active-threat-response-ndr-essentials

Configure NDR Essentials

NDR Essentials uses machine learning to analyze the traffic going through your firewall and to detect indicators of compromise (IoCs). The types of IoCs NDR Essentials detects are IP addresses and domains. It then assigns them a threat score and logs the events.

Requirements

The requirements are as follows:

  1. You must have an XGS device.

    All XGS Series firewalls, including the Gen.1 and Gen.2 firewalls are supported.

    Note

    NDR Essentials doesn't support the following deployments:

    • Cloud, virtual, and software appliances. The feature doesn't appear on these firewalls.
    • Active-active HA. The feature is grayed out for these deployments.

  2. You must have a Xstream Protection Bundle license.

  3. To log the IoCs detected by NDR Essentials, make sure the firewall rule, DNS, IPS, and decryption features are configured. See Firewall configurations for threat feeds.

Summary

The summary widget at the top of the page shows the number of monitored traffic flows, and the number of unique IoCs NDR Essentials has identified and grouped by the threat score.

NDR Essentials uses the first connection's details to identify the IoC. The firewall then adds the IoC to the list. When the IoC is on the list, the firewall can then generate logs, send notifications, and create reports whenever subsequent network traffic is detected that's related to that IoC.

Configure NDR Essentials

You can turn on NDR Essentials and configure logs and exclusions in the firewall.

Do as follows:

  1. Turn on NDR Essentials.

  2. In Interfaces, you can add interfaces so that NDR Essentials can identify new IoCs from traffic flowing through them.

    Do as follows:

    1. Click Add new item.
    2. Select your interfaces.
    3. Click Apply selected items. We recommend you select the interfaces over which most of your internet traffic flows or carries the risk of communicating with Command and Control (C2) servers. For example, LAN requests to external resources.

    For more information, see Interfaces.

  3. Select the Data center location to which your traffic is sent for analysis.

    By default, the system selects the lowest latency region.

    Note

    When you change the data center location, you may lose the analyses that are in progress.

  4. Select the traffic's Minimum threat score at which the firewall detects and logs threats.

    The default setting is High risk (Score 9 and 10) - Recommended.

  5. Under Action, the option is set to Log threats, because NDR Essentials currently only detects and logs threats. Go to System services > Log settings, and make sure logging is turned on for Active threat response.

    For more information about logs, see Log settings.

  6. Click Apply.

Tip

You can create a firewall rule to block IoCs. Add the IoCs under Destination networks. See Block IoCs.

Note

The number of IoCs stored depends on the appliance size. Larger appliances can store more IoCs.

Interfaces

You can only select the following types of network interfaces that belong to the LAN and DMZ zones:

  • Physical interfaces
  • VLAN over physical interfaces
  • Link Aggregation Groups (LAG)
  • Bridge interface members

Note

  • If you don't add any interfaces, NDR Essentials won't identify any new IoCs. However, the firewall will take action based on IoCs that NDR has already detected.

  • If you unbind an interface from a zone, it's removed from the list of interfaces monitored for NDR Essentials analysis.

Note

The following interfaces aren't supported by NDR Essentials:

  • RED interfaces
  • XFRM interfaces
  • VLAN over LAG
  • VLAN over bridge
  • Dedicated management interfaces

Select the interfaces over which most of your internet traffic flows or carries the risk of communicating with Command and Control (C2) servers, for example, LAN requests to external resources.

By monitoring these key interfaces only, you can more effectively identify and respond to security threats, without having to analyze traffic across your entire network infrastructure.

The interface list doesn't show WAN interfaces. The firewall only needs to monitor one side of the traffic to identify IoCs.

Note

NDR is supported only on the LAN, DMZ and custom zones. NDR isn't supported on the WAN or Wi-Fi zone.

Block IoCs

You can create a firewall rule to block IP address and domains identified by NDR Essentials.

  1. Find the IoCs that NDR identified. Do as follows:

    • Connect to your firewall's backend using SSH, with its IP address.
    • Type 5 then 3 to access the advanced shell.
    • Type cd /content/ndr to go to the NDR folder.
    • Type cat threatfeed.json to open the threat feed file.

  2. Create an IP or FQDN host for each identified IoC.

  3. Create a firewall rule to block each IoC.

    Set the destination as the IP or FQDN host you created for the IoC.

Add threat exclusions

When you exclude a source or destination from Active Threat Response scanning, the firewall won't check that traffic against the threat feeds.

To add threat exclusions, go to the top menu, and click Add threat exclusions.

For more information, see Add threat exclusions.

Threat indicators

To view and search for individual IoCs in a threat feed, click Threat indicators under the top menu. You can see the IoC names, threat scores and threat names. You can search the IoCs by IP address or domain name. You can also search by strings. For example, if you search for "100", you'll see IoCs that contain the string "100".

Logs

To see your logs, click Logs under the top menu. For more information, see Logs and alerts for Active threat response.