Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Automated Firewall Audit Tool

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table Of Contents:

 

Note: Support would not be provided for this tool via Sophos Support

 

Overview:

The automated audit tool allows you to audit one or more Sophos firewalls for compliance with baseline security settings. The audit compares a defined set of expected settings (the baseline) with each firewall's actual running configuration and produces an HTML report indicating the audit Pass/Fail status.

Installation and Requirement:

The firewall audit can be installed using the Python pip installer. Python 3.9 is the minimum version required on your system prior to installation. We recommend installing it into a Python virtual environment so as not to interfere with any other Python packages installed on your system.

 

This Recommended Read scenario would use Python 3.12 as interpreter and Pycharm as IDE and will use a Windows environment. 

Installation Steps:

Create Python Venv on IDE

python -m venv firewallaudit

Activate the venv on IDE -  for Windows

firewallaudit\Scripts\activate.bat

Download the sophos-firewall-audit

pip install sophos-firewall-audit

Note: Windows users may see an error message ModuleNotFoundError: No module named 'pkg_resources'  when running the sophosfirewallaudit command. To correct this, run pip install setuptools.

 

Install setuptools to address the error

pip install setuptools

--help should now run.

Update the firewall.yaml file of your firewall inventory

You may also down the example here: https://github.com/sophos/sophos-firewall-audit/blob/main/firewalls.yaml.example

In here, you may also put more than one firewall on the list using the format:
-hostname: 172.16.16.1
 port: 4444
 hostname: 34dtmxgsfw1.ddns.net 
 port: 4444
 hostname: 10.153.189.23
 port: 4444

Update the auditsettings.yaml file

Example download is available here: https://github.com/sophos/sophos-firewall-audit/blob/main/audit_settings.yaml.example

You may use the default settings, or you may tailor-fit it to your requirements.

Copy/Save the Yaml files into your working directory

Set Credentials on Windows CMD

set FW_USERNAME=<Your firewall username>

set FW_PASSWORD=<Your firewall password>

You may also allow API access to administrators with specific read-write permissions. Kindly refer here: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/APIAllowAccess/index.html

Note: Kindly ensure you're configuring set on CMD and not in Powershell, When we use set in a powershell prompt, that is setting powershell variables rather than environment variables.  The audit script is trying to pull the credentials from the system environment, so it can't find those.

Confirm that API is enabled on the Target Sophos Firewall/s, including the allowed IP Address

Under > Backup and firmware > API > API configuration

Run Audit: sophosfirewallaudit --inventory_file firewalls.yaml --settings_file audit_settings.yaml

After running the command above, the audit process should begin. 

View Results locally > results_html_local > index HTML

Viewing Sophos Firewall Audit Report

Related Information:

Further Information—The firewall audit is published as an open-source project on Github and can be installed using the instructions in the repository.

https://github.com/sophos/sophos-firewall-audit

Sophos Firewall API - https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/API/index.html

______________________________________________________________________________________________________________________________________



Revamping
[edited by: Erick Jan at 7:27 AM (GMT -7) on 17 Oct 2024]
Parents
  • I have tried to get this to work but for some reason the authentication fails but I can use postman with the same credentials without issue. It's almost as if the environmental variables within pycharm are being completely ignored or the sophosfirewallaudit.exe is not using them properly. The firewall admin log shows failed attempts but but the username field is empty/"none".

Reply
  • I have tried to get this to work but for some reason the authentication fails but I can use postman with the same credentials without issue. It's almost as if the environmental variables within pycharm are being completely ignored or the sophosfirewallaudit.exe is not using them properly. The firewall admin log shows failed attempts but but the username field is empty/"none".

Children