About Sophos EDL

Sophos Group is a British security hardware and software company that has been working in network and system security software for the past 30 years. Powered by SophosLabs, their AI-enhanced and cloud-native solutions provide high adaptation and flexibility characteristics in a network. From the vast variety of protective software and hardware, the Sophos Xstream Firewall is engineered to bring extreme levels of visibility, protection, and performance to any network. With deep packet inspection and application acceleration, Sophos delivers powerful protection and performances to mitigate the greatest challenges faced by network administrators today.

An External Dynamic List is a text file containing IOCs (URLs and domains) that the Sophos firewall uses/syncs with to enforce its block and unblock policies.

Supported Actions

SIRP’s Sophos EDL integration app allows you to execute the following actions:





Block URL

Block a URL on Sophos firewall


Unblock URL

Unblock a URL on Sophos firewall


Block Domain

Block a domain on Sophos firewall


Unblock Domain

Unblock a domain on Sophos firewall

Enable the Palo Alto EDL App in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named Sophos EDL.

  3. Enable the Sophos app by clicking on the toggle button under the Status

  4. Once enabled, click on the configuration button to add the following configuration:

    1. Configuration Name <string with no spaces>

    2. EDL-Name <string with no spaces>

  5. Execute the following supported actions one by one on any particular container (incident or alert) or from Automation Playground:



  6. As each action gets executed, you will get unique URLs of the EDL files. For example:

    • https://<sirp-ip>/Sophos/2/url_list.txt

    • https://<sirp-ip>/Sophos/2/domain_list.txt

  7. Use these URLs to configure the EDL in the Sophos Firewall by following these steps:

Configure EDL in Sophos

1. Log in to the Sophos Web Console.

2. Access the Web tab

3. Add a new a block in Categories

a) Set Name to SIRP_URL_BLOCK

b) Set Classification to Objectionable.

c) Set Configure category to External URL Database

d) Add URLs (from your SIRP actions) and Save

o https://<sirp-ip>/Sophos/2/url_list.txt

o https://<sirp-ip>/Sophos/2/domain_list.txt

After the last step, you should be able to execute the Sophos actions on-demand or through Playbooks to block and unblock domains and URLs.

Did this answer your question?