Hi Sophos Community, 

I'm pleased to announce the release of a Python SDK for the SFOS firewall APIs.This SDK wraps the XML API in an easy-to-use component, that removes the biggest challenges in using the firewall's API to automate configuration tasks.


The SDK has been published on PyPi, making installation and use as easy as:

pip install sophosfirewall-python


Once installed, it becomes incredibly easy to access a firewall via script:

from sophosfirewall_python.firewallapi import SophosFirewall

sfos = SophosFirewall(
    username = FIREWALL_USERNAME,
    password = FIREWALL_PASSWORD,
    hostname = FIREWALL_HOST_OR_IP,
    port = FIREWALL_PORT,
    verify = True

From there, you can test if your stored credentials are valid:

    response = sfos.login()
    print(f"Success! {response}")
except SophosFirewallAuthFailure as e:
    print(f"Authentication error: {e}")

Exploring and editing configuration

List firewall rules:
response = sfos.get_fw_rule()
rules = response["Response"]["FirewallRule"]
for rule in rules:
    print(f"{rule['Name']} Details: {rule}")
Create hosts:
response = sfos.create_ip_host(name="test-host", ip_address="")

This is just to name just a few options. You can find more examples and documentation here:

Welcome to sophosfirewall-python’s documentation! — sophosfirewall-python 0.0.1 documentation

The SDK fully open-source, and you can find it published on Github here:

GitHub - sophos/sophos-firewall-sdk: Python module for working with Sophos Firewall API

How will you use this? what projects does this unlock for you? Let us know how you plan to use this tool!

Happy coding!

  • This is excellent. However, my main issue isn't with this itself, but with API (and WebAdmin) access in general: you can't specify a hostname in the allowed sources list, only IP addresses. And it doesn't seem to be able to be updated via the API, based on what I can find in the API documentation. Meaning that, if our IP address were to change, we will have to manually log into our (over 600) firewalls and update it.

    But, that's not a knock on the work done here, which is great. We may be able to use a tool like this to centralize certain deployment aspects across the bulk of our firewalls.

  • Thanks Joshua, The firewall team does have some plans on improving the firewall API and its accessibility, likely later this year. You're right though, that it isn't accessible through the XML API today. 

Comment Children
No Data