Thread Info
  • State Verified Answer
  • Replies 16 replies
  • Subscribers 15 subscribers
  • Views 2222 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: v21.0 EAP1: Third Party Threat Feeds Discussions

LuCar Toni

Release Post:  Sophos Firewall v21 Early Access Announcement 

Whats New Link: https://assets.sophos.com/X24WTUEQ/at/7t8k46h9ttmxt6pn8g58k7wb/sophos-firewall-key-new-features-v21.pdf 

General V21.0 EAP1 Discussion Channel:  Sophos Firewall: v21.0 EAP1: Feedback and experiences (EAP Thread)  

Feel free to share your experience with 3rd Party Threat Feeds and discuss the reasoning, it worked / not worked of importing them. 

Active Threat Response with 3rd Party Threat Feeds: 

  • Active Threat Response has been extended with support for third-party threat feeds to enable easier integration with 3rd party SoC providers, MSPs, industry specific security consortium
  • Now, you can easily add additional vertical or custom threat feeds to the firewall which will monitor and respond in the same automatic way – blocking any activity associated with them – across all security engines and without requiring any additional firewall rules

Setup and monitor your third-party threat feeds under the Active Threat Response menu 

  • Synchronized Security’s automated response to active threats is also extended to third-party threat feeds. Firewall presents threat analysis after corelating threat attempts with managed endpoint.


Format
[bearbeitet von: LuCar Toni um 7:53 AM (GMT -7) am 30 Aug 2024]
  • 0 in reply to apijnappels

    Are those people accessing services you offer or simply ACL blocks, which would be blocked anyway? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    They are both; looks like some just try to access (or maybe scan) for services like SSH, RDP or whatever, some are also coming to ports that are forwarded to internal servers. There are also a lot of high-range dst-ports that I do not recognize as belonging to certain services.

    I have the feeling that most would have been blocked anyway. However I like the idea of just blocking them at the front door before they could be allowed to look for vulnerabilities in services that are otherwise publicly available.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Jubin

    Is there any way to increase the reserved amount of space/memory? I’m a home user, so limited to 6GB of RAM (8GB physically installed) and I can’t use URLhaus’s blocklist - just get “Storage Full”.

    I suppose one solution is to just use the URLhaus “online” list, which is significantly less URLs.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0

    Certainly interested in this, but a Home user install in a virtual instance atm.  My XG135 Rev3 currently has pfsense with pfngblocker installed, but looking to migrate back to Sophos.

    I have Wireguard VPN, so will have to host the VPN concentrator on an alternate box.

    Will have to look at various feeds, but Snort, Talos and Crowdsec in first instance.

  • +1

    Eliminating Noisy Alerts in v21 GA for Third-Party Feeds

    Thank you everyone for your valuable participation in EAP1 and for sharing fantastic feedback

    In the EAP version of SFOS v21, access attempts on the user portal, admin portal, or other services triggered excessive alerts, even when local ACLs blocked access. This was because the IoC match happened before the local ACL check, causing the firewall to generate alerts for any IP address matched against the IoC list (both for source and destination).

    In v21 GA, we’ve improved this by moving the IoC matching after the local ACL check. This ensures that alerts are only generated for access attempts allowed by the ACL, significantly reducing alerts while maintaining protection against brute force attacks.

  • 0

    Could you explain why there is “only” 10MB available, or why the data is not stored on the disk, but only on the RAM?

    Which model has how much memory available for the feature? I was able to read 4GB RAM = 10MB, but it would be nice to see a calculation so that I know this for all models (including virtual).

    I also think it's a shame that we can't block subnets/ranges, regex or wildcards, if we notice that an ASN is interfering with our services. Is this feature coming?
    We have our own XSOAR in our private cloud and would like to implement this solution on the Sophos firewalls as well. For this we would certainly need more memory or the option to block ranges.

Unfiltered HTML