This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the Easiest Way to Add a Large Number of Definitions?

Greetings Sophos community,

 

At my work, we have Sophos 210SG UTM.  Every few days, we receive lists of risky IP addresses and domains that should be blocked

 

In the last two weeks, we started receiving huge lists like 250 IP addresses of 300 domains so we block them. And IP the addresses are not ranges or in sequence

 

I will be able to handle all that with CLI but, I did not find any reference that could help me to deal with Sophos CLI

 

In this case, does any body know the best way to handle such huge configuration? or at least help me with a solution?

 

Thank you for your time



This thread was automatically locked due to age.
  • You need to look at the REST API, although I have not used it so I don't know what it is available for this issue.   UTM is designed to be managed through the GUI, so nothing is documented about CLI scripts.

    This also seems like the arcade game of whack-a-mole.  There are 4 billion IPv4 addresses, and an almost-infinite number of IPv6 addresses, so I don't know that you can make much headway entering 250 at a time.

    I also wonder how many entries you can have in your list before UTM performance collapses, either during configuration tasks or during packet processing.    Windows folders tend to became very inefficient to browse after they have 2000 entries, so I am extrapolating from bad experiences there.

    Suggest you look at Country Blocking and additional RBLs to preemptively block addresses that you do not need or do not trust.   When you do block an IP address, I would recommend blocking the /24 subnet rather than just one address.

    When our staff travels overseas, they have to notify us of their current IP address, even if it changes every day.   We unblock that one address for remote access and leave the rest of the country blocked.   

    All of this depends of course on your communication requirements, both incoming and outgoing.

  • Hello,

     

    there is no Way via GUI. I dont think via CLI as well. Because of performance issues i would look into country blocking instead.


    Regards

     

    Jason

    Regards

    Jason

    Sophos Certified Architect - UTM

  • Thank you for replying

     

    I will look into REST API to see what's in there to help me

     

  • Thank you for replying

     

    Well, this is very disappointing that this cannot be done with CLI. I have worked with Cisco ASA and Fortigate firewalls and I used to use cli for bulk configuration which saved me centuries of time

     

    Also, I'v already enabled country blocking based on cyber security requirements in our company but, the wanted IP addresses are randomly scattered around the world

  • Ahlan and welcome to the UTM Community!

    The problem one has when learning a new metaphor is that it's hard to ask the right questions.

    I don't believe that one needs to do this when using the Sophos UTM, but that assumes that the UTM is otherwise well configured.  Show us 10 or 20 IPs and tell us what threat you want to avoid.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • One option is to put an ASA device in front of your UTM.   It is not a particularly expensive device in a basic configuration.   Since you already have the scripting ready to go, the savings in your labor and the ability to respond quickly should be enough to justify the purchase.

  • Thank you bob

     

    Actually, I was shocked when I started dealing with Sophos when I found that it lacks granularity and ease of control as some other firewall that I have dealt with. That's why I am having crazy troubles with Sophos

     

    Anyway, these request come from a government entity to instruct the related companies to block the IP addresses they mention. And I have no idea what are the threats behind those IP addresses. Here is a sample of the IP addresses if that would help you helping me:

    95.186.166.41
    93.168.124.122
    73.53.94.104
    60.214.107.239
    51.39.94.15
    5.82.12.140
    46.38.79.34
    41.69.202.18
    37.99.190.7
    31.205.76.244
    23.233.190.28
    212.12.178.90
    200.98.144.53
    2.89.209.41
    198.36.39.184
    176.241.185.65
    151.38.159.130
    146.251.87.68
    139.199.23.185
    132.232.148.138
    129.208.18.11
    107.184.226.83

    Thank you for your time

  • Well that's a good idea Douglas

     

    In that that case I would feel like I have a Sophos UTM + a real firewall to accomplish firewall work lol

     

    Actually, there is a Cisco router. I will see if I can use it as a zone based firewall in this case

     

    Thank you Douglas

  • UTM is not a traditional firewall, and Sophos has been careful not to put the word "firewall" in its name.   However, it can be used effectively as a firewall if you have a knowledgeable person who understands the nuances of making its unique architecture work as an equivalent to a firewall.    Lack of that knowledge (some of which is not in the manual but is on this forum) can also create unwanted risks.  I use UTM in bridge mode behind an ASA.  This configuration works very well for me, providing protections that may ASA does not.

  • Exactly

    Unlike Cisco, Fortinet, and, some other vendors, there is a lot of difficulty to find Sophos proper documentations for many aspects. AN that forces the customers to be constrained with Sophos support. Everything will be different if there is a solid organised knowledge based web pages like Cisco for an instance

     

    For your scenario, you are using a Sophos UTM and an ASA firewall which Fortigate firewalls(UTMs) can handle all of that for you in only one appliance. I think this is what UTM vendors must focus on. And that is to provide a really unified solution that saves time and equipment