Sophos XG Active threat response configuration
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos XG Active threat response configuration
SOPHOS FIREWALL – ACTIVE THREAT RESPONSE CONFIGURATION
This document explains the step-by-step procedure to configure Active Threat Response (ATR) with Third-Party Threat Feeds on the Sophos Firewall to automatically block malicious IPs, Domains, and URLs.
Prerequisites
- Admin access to the Sophos Firewall
- Reachable threat feed server URL
- Plain text feed files (one indicator per line)
1. Log in to the Sophos Firewall management console. 2. Navigate to:
Protect → Active Threat Response
3. Click:
Active Threat Response → Third-Party Threat Feeds
General Configuration Steps
Step 1: Add New Threat Feed
1. Click ADD 2. Configure the following options:
Action Settings
- Select Block
- This will log the event and immediately block malicious traffic.
Indicator Type
Select the appropriate Indicator of Compromise (IoC) type:
- IPv4 Address
- Domain
- URL
Authentication Settings
- Select No Authentication (if feed is publicly accessible)
Validate Server Certificate
- Disable (Not Required)
Polling Interval
- Set to 5 Minutes
- This controls how often the firewall fetches updated threat data.
IOC Feed Configuration
IPv4 Address Feed Configuration
Configuration Details:
- Name: CSOC_MOD_IOC_BLOCK_IP
- Indicator Type: IPv4 Address
- Action: Block
- External URL:
https://10.1.1.60/siem/soar/files/get/ZmlsZS1mZWVkLTY3MDIudHh0
- Authentication: No Authentication
- Polling Interval: 5 Minutes
Steps
1. Click ADD 2. Enter the above details 3. Click Test Connection 4. Verify status shows Success 5. Click Save
Expected Result
- Status should display Success
- IoC count should be visible
- Firewall starts blocking malicious IP addresses automatically
Domain Feed Configuration
Configuration Details:
- Name: CSOC_MOD_IOC_BLOCK_Domain
- Indicator Type: Domain
- Action: Block
- External URL:
https://10.1.1.60/siem/soar/files/get/ZmlsZS1mZWVkLTg4ODcudHh0
- Authentication: No Authentication
- Polling Interval: 5 Minutes
Steps
1. Click ADD 2. Enter the configuration values 3. Click Test Connection 4. Confirm status shows Success 5. Click Save
Expected Result
- Domain IoCs are fetched successfully
- Malicious domains are automatically blocked
URL Feed Configuration
Configuration Details:
- Name: CSOC_MOD_IOC_BLOCK_URL
- Indicator Type: URL
- Action: Block
- External URL:
https://10.1.1.60/siem/soar/files/get/ZmlsZS1mZWVkLTg4ODcudHh0
- Authentication: No Authentication
- Polling Interval: 5 Minutes
Steps
1. Click ADD 2. Enter the required values 3. Click Test Connection 4. Verify connection status as Success 5. Click Save
Expected Result
- URL-based threats are fetched
- Firewall blocks malicious URLs in real-time
Verification Steps
After saving all feeds:
1. Wait for 2–5 minutes 2. Refresh the Third-Party Threat Feeds page 3. Verify:
* Status = Success * IoC count is displayed
Log Verification
Viewing Logs
1. Navigate to:
Logs & Reports → Log Viewer
2. Filter logs by:
* Module: Active Threat Response * Action: Block
Expected Log Details
Logs should display:
- Blocked Source IP / Domain / URL
- Action Taken: Blocked
- Timestamp
- Policy Reference
- Threat Feed Name
Notes
- Ensure threat feed URLs are reachable from the firewall.
- Feed files must contain one indicator per line.
- Avoid adding comments or extra formatting inside feed files.
- Lower polling intervals provide faster threat updates but may increase resource usage.
Conclusion
Active Threat Response with third-party threat feeds provides automated real-time protection against known malicious IPs, domains, and URLs by dynamically blocking threats at the firewall level.
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos XG Active threat response configuration
