This article describes how to automate the process of pattern update when multiple XG Firewalls are deployed in an air-gapped / physically isolated environment. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall v17.5 MR3 and later
A Server/PC installed with Apache or similar tool that can be used for file exchange.
In the following example we have used Apache running on Ubuntu OS for file exchange. (Alternatively, you can also use wget compatible protocol such as FTP/HTTPS etc.).
The XG Firewall provisioned with an automated script will pull the pattern update at a pre-defined interval of 24 hours from the Server/pc.
cd /content wget --no-check-certificate http://<ipaddress of server>/airgap_pattern_update.sh
wget --no-check-certificate http://<ipaddress of server>/airgap_pattern_update.sh
sh /content/airgap_pattern_update.sh > /log/airgap.log 2>&1 &
Note: XG will check for the pattern update at every 24 hours (this 24 hours = 86400 can be changed in the script file); if new pattern update is available in the server machine, script running in XG will trigger the download.
Note: In case of High-Availability deployment, airgap_patttern_update.sh script file needs to be executed in the primary as well as the auxiliary appliance.
ps -w | grep airgap
tail -f /log/airgap_pattern_update.log
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.