About Sophos
Sophos Group is a British security hardware and software company that has been working in network and system security software for the past 30 years. Powered by SophosLabs, their AI-enhanced and cloud-native solutions provide high adaptation and flexibility characteristics in a network. From the vast variety of protective software and hardware, the Sophos Xstream Firewall is engineered to bring extreme levels of visibility, protection, and performance to any network. With deep packet inspection and application acceleration, Sophos delivers powerful protection and performances to mitigate the greatest challenges faced by network administrators today,
SIRP’s integration with Sophos Firewall allows security teams to execute response actions right from SIRP with improved incidence response and speed.
Supported Actions
SIRP’s Sophos integration app allows you to execute the following actions:
S.no | Action | Description |
1 | Block IP as Source | Block an IP Address as source on Sophos firewall |
2 | Unblock IP Address as source | Unblock an IP Address as source on Sophos firewall |
3 | Block IP as Destination | Block an IP Address as destination on Sophos firewall |
4 | Unblock IP as Destination | Unblock an IP Address as destination on Sophos firewall |
5 | Block URL | Block URL on Sophos firewall |
6 | Unblock URL | Unblock URL on Sophos firewall |
Prerequisite Steps for Sophos App
Before Creating rules, we need to create IP Host Groups and URL Category in Sophos.
Log in to the Sophos Web Console.
Access the “Hosts and Services” tab on the interface.
Add two Blocks in the IP Host Group.
SIRP_Source_IP_Block
SIRP_Destination_IP_Block
Set the IP Version to IPv4.
To create a new Rule in Sophos:
Click on Add Firewall Rule. Then click on New Firewall Rule.
Rule 1: SIRP_Source_IP_Block
Follow the following steps to create the rule that blocks IP addresses that are orchestrated from SIRP to reach the internet.
After clicking Add New Rule in the Rules tab a new Rule window will pop up.
Turn the rule status ON in the Add Firewall Rule section.
Make the following additions:
Rule name: SIRP_Source_IP_Block
Rule Group: Traffic to Internal Zone
Action: Reject
In the Source section perform the following steps:
Set the Source Zones to Any.
Add the IP Host Group SIRP_Source_IP_Block to the Source Networks and Devices section.
Set the During Scheduled Time to All the Time.
Save the configuration, a new rule will be created.
Rule 2: SIRP_Destination_IP_Block
Follow the following steps to create the rule that blocks IP addresses that are orchestrated from SIRP from outside networks.
Again click Add New Rule in the Rules tab, a new Rule window will pop up.
Turn the rule status ON in the Add Firewall Rule section.
Make the following additions:
Rule name: SIRP_Destination_IP_Block
Rule Group: Traffic to Internal Zone
Action: Reject
In the Destination and Services section perform the following steps:
Set the Destination Zones to Any.
Add the IP Host Group SIRP_Destination_IP_Block to the Destination Networks section.
Set the Services to Any.
Save the configuration, a new rule will be created.
Rule 3: SIRP_URL_Block
Follow the following steps to create the rule that blocks all URLs which are orchestrated by SIRP.
In the web console, enter the Web category from the Protect tab.
Enter the URL Groups category in the web section.
Add the rule SIRP_URL_Block into the URL groups.
In the “Rules and Policies” section perform the following steps.
Enter the SSL/TLS inspection rules.
Add a new SSL/TLS inspection rule and add the Name and Description.
Set the Action to Deny.
In the Websites category, add the rule SIRP_URL_Block and save.
Enable and Configure Sophos API
To enable the API configuration, you first need to access the Sophos web console, and for that:
Log in to Sophos Web Console.
Go to the Backup & Firmware tab.
Enable the “API configuration.”
Enter SIRP IP Address in Allowed IP Addresses.
To configure and enable your Sophos App within SIRP, you will need the encrypted password from your Sophos instance. There are two options available through which you can fetch the encrypted password:
Option 1
Step1: Select Backup & firmware from the sidebar panel.
Step 2: Select "Import export" tab.
Step 3: Select "Export selective configuration".
Step 4: Select "User" from the dropdown by clicking add new item and then Select Include dependent entity and then click the "Export" button.
Step 5: Extract the downloaded tar file, there should be an . XML file open this file (preferably in Chome).
Step 6: Search for a username and copy the password from there for the next step.
Option 2
Step 1: Using SSH, enter the main menu.
Step 2: Select option 5. Device management.
Step 3: Within the device management tab, enter option 3. Advanced Shell.
Step 4: In the Advance Shell, paste the following command to get an Encrypted Password which will be used later in the SIRP Sophos App Configuration.
opcode GetEncripted_PasswordFor_API -t json -b '{"password":"*********"}' -ds nosync
OR
aes-128-cbc-tool -k Th1s1Ss1mPlygR8API -t 1 -s <password>
Copy Status Message i.e. “62C89C5FC31FB864DC0F**********” for later use.
Note: If the above command results in "500 opcode not found" error, try Option 1.
Configure and Enable Sophos App
Next, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Sophos Firewall.
Enable the Sophos app by clicking on the toggle button.
When you enable the App, you will get an option to add the configuration details. Add the following details and click Save:
Host: <IP address of Sophos Firewall>
Port: <4444>
Username: <admin (on your preference)>
Password:<Copied status message “62C89C5FC31FB864DC0F**********”>
Host-Source-Group:<Source IP Host Group from Sophos>
HOST-Destination-Group:<Destination IP Host Group from Sophos>
URL-Group:<URL Category>
After the last step, you should be able to execute the Sophos actions on demand or through Playbooks to block and unblock IP addresses and URLs.
