Sophos Firewall: How to update SPX configuration using API

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

Overview

If you've multiple Sophos firewalls and want to update the SPX configuration, a better way would be to do it via API.

What to do

To update the SPX configuration, please follow the steps mentioned below:

Note: I've created a new user named API with an Administrator profile and generated it's the encrypted password for api user by following KBA Sophos Sophos Firewall: How to get the encrypted password form that can be used for API calls  

Step 1: Create a dummy IP host using the following query. I've created an IP host named ip1 and its value is 192.168.168.168.

Query 1:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request>
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set>
                <IPHost transactionid="">
                    <Name>ip1</Name>
                    <IPFamily>IPv4</IPFamily>
                    <HostType>IP</HostType>
                    <IPAddress>192.168.168.168</IPAddress>
                </IPHost>
            </Set>
        </Request>

Sample Output of query 1: 

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<IPHost transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</IPHost>
</Response>

Step 2:

For Email Legacy Mode use the following API query to update the SPX configuration:

Query 2:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request APIVersion="1800.1">
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set operation="update">
                <SPXConfiguration>
                    <SPSophoslobalTemplate>
                        <DefaultSPXTemplate>Default Template</DefaultSPXTemplate>
                    </SPSophoslobalTemplate>
                    <HostName>None</HostName>
                    <AllowedNetworks>
                        <Network>Specify Name of IP host created in Step 1 (i.e. ip1)</Network>
                    </AllowedNetworks>
                    <Port>8094</Port>
                    <KeepUnusedPassFor>30</KeepUnusedPassFor>
                    <AllowPassRegistrationFor>10</AllowPassRegistrationFor>
                    <SendNotifcationErrorTo>SenderOnly</SendNotifcationErrorTo>
                </SPXConfiguration>
            </Set>
        </Request>

Sample Output of query 2:

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<SPXConfiguration transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</SPXConfiguration>
</Response>

OR

For Email MTA Mode use the following API query to update the MTA SPX configuration 

Query 3:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request APIVersion="1800.1">
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set operation="update">
                <MTASPXConfiguration>
                    <SPSophoslobalTemplate>
                        <DefaultSPXTemplate>Default Template</DefaultSPXTemplate>
                    </SPSophoslobalTemplate>
                    <HostName>None</HostName>
                    <AllowedNetworks>
                        <Network>Specify Name of IP host created in Step 1 (i.e. ip1)</Network>
                    </AllowedNetworks>
                    <Port>8094</Port>
                    <KeepUnusedPassFor>30</KeepUnusedPassFor>
                    <AllowPassRegistrationFor>10</AllowPassRegistrationFor>
                    <SendNotifcationErrorTo>SenderOnly</SendNotifcationErrorTo>
                    <AllowSecureReplyfor>30</AllowSecureReplyfor>
                </MTASPXConfiguration>
            </Set>
        </Request>

Sample Output of query 3:

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<MTASPXConfiguration transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</MTASPXConfiguration>
</Response>

In case you're getting error <Status code="529">Input request file is Invalid</Status> refer KBA Sophos Sophos Firewall: How to solve <Status code="529">Input request file is Invalid</Status> while using API query with Sophos firewall

Related information

• Sophos Sophos Firewall: How to use API
• Sophos Sophos Firewall: How to get the encrypted password form that can be used for API calls
• Sophos Sophos Firewall: How to solve <Status code="529">Input request file is Invalid</Status> while using API query with Sophos firewall

---

Added Table of Contents, Horizontal line
[edited by: emmosophos at 11:20 PM (GMT -8) on 14 Nov 2023]