Sophos Factory: Integrate Sophos Factory with Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Sophos Factory offers a free Community Edition.  Sophos Factory  Sophos Factory Community Edition 

Sophos Factory supports self-hosted runner. Runner Pools orchestrate Runners, machines or containers, which are used to execute pipelines.
You can host them on different platforms: https://docs.factory.sophos.com/docs/runners/self-hosted-runners/ 

They will generate and execute your code - To allow runners to execute code on your Sophos Firewall, you have to do two things on SFOS:
Allow SSH Access in case you want to execute SSH commands on SFOS.
Allow API Access in case you want to execute an API Command on SFOS. 

The first step is to run a simple "What is my IP command". You can use this code as an XML: 

---
variables: []
steps:
  - id: getIP
    name: Get Runner IP
    type: http
    depends: []
    properties:
      url: 'https://httpbin.org/ip'
      method: GET
      validate_certs: true
      timeout: 30
      headers:
        - key: Content-Type
          value: application/json
      status_codes:
        - 200
outputs:
  - key: ipAddress
    value: '{|steps.getIP.result.body.origin|}'
layout:
  elements:
    - id: getIP
      position:
        x: -122
        'y': -145
      links: []
      image_id: f5b6fd0d-0a2c-4b09-869a-92644ff7314c

It will reflect the current WAN IP of the runner. This step is just to double check the WAN IP of the runner. 

The next step is to create the credentials of your Sophos Firewall in Sophos Factory. 

You can choose from different kind of credentials. Most likely you will use admin + password of SFOS. 
See: https://docs.factory.sophos.com/docs/reference/credential-types/ 

On SFOS: 
Go to Administration - Device Access and allow HTTPS (and SSH) for Factory. Create a new Local Service ACL Exception rule and add HTTPS + SSH for your Factory WAN IP. 

Note: Add only SSH, if you want to execute SSH commands. HTTPS is needed for API Calls. 

Under Backup & Firmware - API enable API Configuration and add the API of Factory as well. 

Now you can test your setup by executing a Sophos Firewall pipeline. For example go to the solution catalog, search for SFOS and take the API request Pipeline.

Add your parameters and run the pipeline. 

You should see as Request result all IP Hosts and an "Authentication Successful". 



Edited TAGs and Title
[edited by: emmosophos at 11:10 PM (GMT -7) on 1 Apr 2024]
Parents Reply Children
  • I am using the following command: 

    docker run --pull always --interactive --tty --volume /var/run/docker.sock:/var/run/docker.sock --volume $(pwd)/runner_agent.json:/etc/runner_agent.json --volume $(pwd)/runner_secrets.json:/etc/runner_secrets.json --name runner-pool --env ENVIRONMENT=alpha --env RUNNER_MANAGER_ID=XXXXXXXXXXXXXXXXXXXXXXXX --env RUNNER_MANAGER_KEY=YYYYYYYYYYYYYYYY --env CONFIG_PATH=/etc/runner_agent.json --env SECRETS_PATH=/etc/runner_secrets.json --env LOG_LEVEL=debug --env RUNNER_LOCAL_DOCKER_IMAGE_REGISTRY=docker.io --env RUNNER_LOCAL_DOCKER_IMAGE_REPOSITORY=refactr/runner --env RUNNER_LOCAL_DOCKER_IMAGE_TAG=latest --env AGENT_API_BASE_URL=agent-api.us-west-2.factory.sophos.com/v1 refactr/runner-pool

    Dont forget to run this before: sudo chmod 777 '/var/run/docker.sock'

    BTW: Your error sounds like an DNS Issue. 

    __________________________________________________________________________________________________________________

  • Thanks! 

    No DNS Issue, default value was not a public published DNS record so it cannot be found. AGENT_API_BASE_URL should be added to the docs :)

  • Running the container with SYS_ADMIN option is as well working. Not needed to give 777 to docker.sock.