Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Automated Firewall Audit Tool

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


 Note: Support would not be provided for this tool via Sophos Support

Overview

This recommended read describes the automated audit tool allowing you to audit one or more Sophos firewalls to comply with baseline security settings. The audit compares a defined set of expected settings (the baseline) with each firewall's actual running configuration and produces an HTML report indicating the audit Pass/Fail status.

Installation and Requirement:

The firewall audit can be installed using the Python pip installer. Python 3.9 is the minimum version required on your system prior to installation. We recommend installing it into a Python virtual environment so as not to interfere with any other Python packages installed on your system.

The scenario would use Python 3.12 as interpreter and Pycharm as IDE and will use a Windows environment. 

Installation Steps:

Create Python Venv on IDE

python -m venv firewallaudit

Start the venv on IDE -  for Windows

firewallaudit\Scripts\activate.bat

Download the sophos-firewall-audit

pip install sophos-firewall-audit

Note: Windows users may see the error message ModuleNotFoundError: No module named 'pkg_resources' when running the sophosfirewallaudit command. To correct this, run pip install setup tools.

 Install setuptools to address the error

pip install setuptools

--help will now run.

Update the firewall.yaml file of your firewall inventory

You may also down the example here: https://github.com/sophos/sophos-firewall-audit/blob/main/firewalls.yaml.example

Here, you may also put more than one firewall on the list using the format:
-hostname: 172.16.16.1
 port: 4444
 hostname: 34dtmxgsfw1.ddns.net 
 port: 4444
 hostname: 10.153.189.23
 port: 4444

Update the auditsettings.yaml file

Example download is available here: https://github.com/sophos/sophos-firewall-audit/blob/main/audit_settings.yaml.example

You may use the default settings or tailor-fit it to your requirements.

Copy/save the Yaml files in your working directory.

Set Credentials on Windows CMD

set FW_USERNAME=<Your firewall username>

set FW_PASSWORD=<Your firewall password>

You may also allow administrators with specific read-write permissions API access. Kindly refer here:

Note: Ensure you're configuring the set on CMD, not Powershell. When we use set in the PowerShell prompt, we set the variables rather than the environment variables.  The audit script is trying to pull the credentials from the system environment, so it can't find those.

Confirm that API is turned on on the Target Sophos Firewall/s, including the allowed IP Address.

Under > Backup and firmware > API > API configuration

Run Audit: sophosfirewallaudit --inventory_file firewalls.yaml --settings_file audit_settings.yaml

After running the command, the audit process will begin. 

View Results locally > results_html_local > index HTML

Viewing Sophos Firewall Audit Report

Related Information:

Further Information—The firewall audit is published as an open-source project on Github and can be installed using the instructions in the repository.

https://github.com/sophos/sophos-firewall-audit

Sophos Firewall API




Revamped spelling, spacing and grammar
[edited by: Erick Jan at 5:23 AM (GMT -8) on 27 Nov 2024]
Parents
  • I have tried to get this to work but for some reason the authentication fails but I can use postman with the same credentials without issue. It's almost as if the environmental variables within pycharm are being completely ignored or the sophosfirewallaudit.exe is not using them properly. The firewall admin log shows failed attempts but but the username field is empty/"none".

  • Hi, I have run into the same credentials errors...
    Changing the password  to be "windows prompt safe" made the login successful.

    To make it simple: some character are not suitable to be used on the command line ...
    as an example: \ is an escape char...

Reply Children
No Data