Hi Sophos Community, 

I'm pleased to announce the release of a Python SDK for the SFOS firewall APIs.This SDK wraps the XML API in an easy-to-use component, that removes the biggest challenges in using the firewall's API to automate configuration tasks.


The SDK has been published on PyPi, making installation and use as easy as:

pip install sophosfirewall-python


Once installed, it becomes incredibly easy to access a firewall via script:

from sophosfirewall_python.firewallapi import SophosFirewall

sfos = SophosFirewall(
    username = FIREWALL_USERNAME,
    password = FIREWALL_PASSWORD,
    hostname = FIREWALL_HOST_OR_IP,
    port = FIREWALL_PORT,
    verify = True

From there, you can test if your stored credentials are valid:

    response = sfos.login()
    print(f"Success! {response}")
except SophosFirewallAuthFailure as e:
    print(f"Authentication error: {e}")

Exploring and editing configuration

List firewall rules:
response = sfos.get_fw_rule()
rules = response["Response"]["FirewallRule"]
for rule in rules:
    print(f"{rule['Name']} Details: {rule}")
Create hosts:
response = sfos.create_ip_host(name="test-host", ip_address="")

This is just to name just a few options. You can find more examples and documentation here:

Welcome to sophosfirewall-python’s documentation! — sophosfirewall-python 0.0.1 documentation

The SDK fully open-source, and you can find it published on Github here:

GitHub - sophos/sophos-firewall-sdk: Python module for working with Sophos Firewall API

How will you use this? what projects does this unlock for you? Let us know how you plan to use this tool!

Happy coding!

  • Thanks Joshua, The firewall team does have some plans on improving the firewall API and its accessibility, likely later this year. You're right though, that it isn't accessible through the XML API today. 

  • Sounds great! Don't happen to have a blog post/GitHub page covering how you did this by any chance?

  • This is excellent. However, my main issue isn't with this itself, but with API (and WebAdmin) access in general: you can't specify a hostname in the allowed sources list, only IP addresses. And it doesn't seem to be able to be updated via the API, based on what I can find in the API documentation. Meaning that, if our IP address were to change, we will have to manually log into our (over 600) firewalls and update it.

    But, that's not a knock on the work done here, which is great. We may be able to use a tool like this to centralize certain deployment aspects across the bulk of our firewalls.

  • You can already do this using SFOS XML API. I'm using Let's Encrypt, PoshACME and Custom PowerShell Script to renew LE-Cert, Upload to SFOS, Replace all old Certs in WAF-Rules and remove old LE-Cert. Just handle this using API and XML and you'll be fine.

  • Would this allow any kind of automation to update certificates? For example I use certbot to make my certificate for stuff on my home lab, but i have to update the certificate on my XG home instance every 3 months. Be amazing if i could set up a cron job to update my certificate on the firewall.