About Sophos EDL
Sophos Group is a British security hardware and software company that has been working in network and system security software for the past 30 years. Powered by SophosLabs, their AI-enhanced and cloud-native solutions provide high adaptation and flexibility characteristics in a network. From the vast variety of protective software and hardware, the Sophos Xstream Firewall is engineered to bring extreme levels of visibility, protection, and performance to any network. With deep packet inspection and application acceleration, Sophos delivers powerful protection and performances to mitigate the greatest challenges faced by network administrators today.
An External Dynamic List is a text file containing IOCs (URLs and domains) that the Sophos firewall uses/syncs with to enforce its block and unblock policies.
SIRP’s Sophos EDL integration app allows you to execute the following actions:
Block a URL on Sophos firewall
Unblock a URL on Sophos firewall
Block a domain on Sophos firewall
Unblock a domain on Sophos firewall
Enable the Palo Alto EDL App in SIRP
First, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Sophos EDL.
Enable the Sophos app by clicking on the toggle button under the Status
Once enabled, click on the configuration button to add the following configuration:
Configuration Name <string with no spaces>
EDL-Name <string with no spaces>
Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:
As each action gets executed, you will get unique URLs of the EDL files. For example:
Use these URLs to configure the EDL in the Sophos Firewall by following these steps:
Configure EDL in Sophos
1. Log in to the Sophos Web Console.
2. Access the Web tab
3. Add a new a block in Categories
a) Set Name to SIRP_URL_BLOCK
b) Set Classification to Objectionable.
c) Set Configure category to External URL Database
d) Add URLs (from your SIRP actions) and Save
After the last step, you should be able to execute the Sophos actions on-demand or through Playbooks to block and unblock domains and URLs.