CrowdSec Blocklist Integration with Sophos Firewall

From Notes_Wiki

Home > Enterprise security devices or applications > Sophos Firewall or IPS > CrowdSec Blocklist Integration with Sophos Firewall

CrowdSec Blocklist Integration with Sophos Firewall

Overview

This guide explains how to integrate CrowdSec blocklists with a Sophos Firewall using third-party threat feeds.

Prerequisites

  • Active CrowdSec account
  • Administrator access to Sophos Firewall
  • Valid Sophos Firewall license
  • Internet connectivity

Step 1: Access CrowdSec Portal

This step allows you to log in to the CrowdSec management portal.

  • Open a web browser and navigate to [1](https://www.crowdsec.net/).
  • Log in using your CrowdSec credentials.
  • Create an account if required and complete the sign-in process.

Step 2: Open the Integrations Page

This step opens the section used to manage CrowdSec integrations.

  • After logging in, open the Blocklists dashboard.
  • From the left navigation panel, select Integrations.

Step 3: Create a New Integration

This step creates a new integration profile for your firewall.

  • Select your firewall vendor (for example: Sophos Firewall).
  • Click Connect.
  • Enter an integration name.
  • Add relevant tags such as firewall or blocklist.
  • Optionally add a short description.
  • Click Create.

Step 4: Copy Integration Credentials

This step collects the credentials required for firewall configuration.

  • Copy the Endpoint, Username, and Password.
  • Store the credentials securely, as they are displayed only once.
  • Click Continue.

Step 5: Subscribe to a Blocklist

This step activates the selected threat intelligence blocklist.

  • Click Plug a blocklist to open the Blocklist Catalog.
  • Select the required blocklist.
  • Open the details and click Subscribe.
  • Choose the preferred remediation option.
  • Click Confirm subscription.

Step 6: Verify Integration

This step verifies that the blocklist is linked to the integration.

  • Return to the Integrations page.
  • Confirm that the blocklist appears under your integration.


Step 7: Log in to Sophos Firewall

This step prepares the firewall for threat feed configuration.

  • Log in to the Sophos Firewall web interface.
  • Navigate to Active Threat Response → Third-party threat feeds.
  • Click Add.


Step 8: Configure CrowdSec Threat Feed

This step connects the Sophos firewall to CrowdSec.

  • Enter a name for the threat feed.
  • Select Block as the action.
  • Choose IPv4 address as the indicator type.
  • Paste the CrowdSec Endpoint URL.
  • Select Basic authentication.
  • Enter the Username and Password.
  • Click Test connection and confirm success.
  • Click Save.

Step 9: Verify Synchronization

This step confirms successful operation of the integration.

  • Wait for the firewall to fetch data.
  • Click Refresh if required.
  • Confirm that IP addresses appear.
  • Verify the sync status shows Successful.

Important Note

A valid Sophos Firewall license is required to use third-party threat feeds.

Conclusion

The CrowdSec integration is complete and actively protecting the network.

Home > Enterprise security devices or applications > Sophos Firewall or IPS > CrowdSec Blocklist Integration with Sophos Firewall

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CrowdSec_Blocklist_Integration_with_Sophos_Firewall&oldid=9968"