Unified Threat Management (UTM) makes security simple and Sophos UTM provides a network security package with everything you need in a single modular appliance. It simplifies your IT security without the complexity of multiple point solutions. The intuitive interface helps you to quickly create policies to control security risks, and clear, detailed reports provide you with the insights you need to improve your network performance and protection.
This document provides information about the Sophos UTM connector, which facilitates automated interactions, with a Sophos UTM server using FortiSOAR™ playbooks. Add the Sophos UTM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or getting a list of blocked IP addresses, URLs, or applications.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Sophos UTM Versions: 9.5 and later
For the procedure to install a connector, click here.
Log on to the Sophos UTM Firewall server with the necessary credentials.
To block or unblock an application, you must create an Application Control Rule Policy in the Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created an Application Control Rule Policy named Cybersponse-application-blocker.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your Application Block Policy Name
configuration parameter. In our example, use Cybersponse-application-blocker in the Application Block Policy Name
field.
To block or unblock a URL, create Web Filter Profiles in Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created a Filter Profile named Cybersponse. Next, create a filter Cybersponse-Filter that contains a URL Group named Cybersponse-blocked-url-list in the Edit Filter Action > Block These Websites section. Add the Cybersponse-Filter to the Cybersponse profile.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your URL Block Policy Name
configuration parameter. In our example, use Cybersponse-blocked-url-list in the URL Block Policy Name
field.
To block or unblock an IP Address, you must create two network firewall rules as shown in the following image:
Next, create one network group, in our example name it Cybersponse_block_ip and add this name to both the rules you have created.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your IP Block Policy Name
configuration parameter. In our example, use Cybersponse_block_ip in the IP Block Policy Name
field.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Sophos UTM connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Sophos UTM Firewall server to which you will connect and perform automated operations. |
Port | Port number used for connecting to the Sophos UTM Firewall server. |
Username | Username to access the Sophos UTM Firewall server. |
Password | Password to access the Sophos UTM Firewall server. |
Application Block Policy Name | Name of the Application Control Rule Policy or filter that you have specified in Sophos UTM. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
URL Block Policy Name | Name of the URL Group that you have specified in Sophos UTM for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
IP Block Policy Name | List of the IP Hosts that you have specified in Sophos UTM for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Block URLs | Blocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_url Containment |
Unblock URLs | Unblocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
Block IP Addresses | Blocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_ip Containment |
Unblock IP Addresses | Unblocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
Block Applications | Blocks or unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_app Containment |
Unblock Applications | Unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
Get List of Blocked URLs | Retrieves a list of URLs that are blocked. | list_blocked_url Investigation |
Get List of Blocked IPs | Retrieves a list of IP addresses that are blocked. | list_blocked_ip Investigation |
Get List of Blocked Application Names | Retrieves a list of application names that are blocked. | list_blocked_app Investigation |
Check Policies | Checks whether or not the policies you have mentioned in the Configuration parameters section are valid. | check_policy Investigation |
Parameter | Description |
---|---|
URLs | URLs that you want to block. URLs must be in the list format. For example, ["www.example.com", "www.example1.com"] |
The JSON output contains a status message of whether or not the URLs are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
URLs | URLs that you want to unblock. URLs must be in the list format. For example, ["www.example.com", "www.example1.com"] |
The JSON output contains a status message of whether or not the URLs are successfully unblocked.
Following image displays a sample output:
Parameter | Description |
---|---|
IPs | IP addresses that you want to block. IP addresses must be in the list format. For example, ["X..X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
IPs | IP addresses that you want to unblock. IP addresses must be in the list format. For example, ["X..X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to block. Application names must be in the list format. For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to unblock. Application names must be in the list format. For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully unblocked.
Following image displays a sample output:
None
The JSON output contains a list of blocked URLs.
Following image displays a sample output:
None
The JSON output contains a list of blocked IP addresses.
Following image displays a sample output:
None
The JSON output contains a list of names of blocked applications.
Following image displays a sample output:
None
The JSON output contains a status message of whether or not the given policies are valid. This operation checks the policies you have mentioned in the Configuration parameters section.
Following image displays a sample output:
The Sample - Sophos UTM-9 - 1.0.0
playbook collection comes bundled with the Sophos UTM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos UTM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Unified Threat Management (UTM) makes security simple and Sophos UTM provides a network security package with everything you need in a single modular appliance. It simplifies your IT security without the complexity of multiple point solutions. The intuitive interface helps you to quickly create policies to control security risks, and clear, detailed reports provide you with the insights you need to improve your network performance and protection.
This document provides information about the Sophos UTM connector, which facilitates automated interactions, with a Sophos UTM server using FortiSOAR™ playbooks. Add the Sophos UTM connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or getting a list of blocked IP addresses, URLs, or applications.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Sophos UTM Versions: 9.5 and later
For the procedure to install a connector, click here.
Log on to the Sophos UTM Firewall server with the necessary credentials.
To block or unblock an application, you must create an Application Control Rule Policy in the Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created an Application Control Rule Policy named Cybersponse-application-blocker.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your Application Block Policy Name
configuration parameter. In our example, use Cybersponse-application-blocker in the Application Block Policy Name
field.
To block or unblock a URL, create Web Filter Profiles in Sophos UTM Firewall server as shown in the following image:
For example, in the above image, we have created a Filter Profile named Cybersponse. Next, create a filter Cybersponse-Filter that contains a URL Group named Cybersponse-blocked-url-list in the Edit Filter Action > Block These Websites section. Add the Cybersponse-Filter to the Cybersponse profile.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your URL Block Policy Name
configuration parameter. In our example, use Cybersponse-blocked-url-list in the URL Block Policy Name
field.
To block or unblock an IP Address, you must create two network firewall rules as shown in the following image:
Next, create one network group, in our example name it Cybersponse_block_ip and add this name to both the rules you have created.
When you are configuring your Sophos UTM connector in FortiSOAR™, you must use the name that you have specified in this step as your IP Block Policy Name
configuration parameter. In our example, use Cybersponse_block_ip in the IP Block Policy Name
field.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Sophos UTM connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Hostname | IP address or Hostname of the Sophos UTM Firewall server to which you will connect and perform automated operations. |
Port | Port number used for connecting to the Sophos UTM Firewall server. |
Username | Username to access the Sophos UTM Firewall server. |
Password | Password to access the Sophos UTM Firewall server. |
Application Block Policy Name | Name of the Application Control Rule Policy or filter that you have specified in Sophos UTM. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
URL Block Policy Name | Name of the URL Group that you have specified in Sophos UTM for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
IP Block Policy Name | List of the IP Hosts that you have specified in Sophos UTM for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos UTM Firewall section. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Block URLs | Blocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_url Containment |
Unblock URLs | Unblocks URLs using the URL Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_url Remediation |
Block IP Addresses | Blocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_ip Containment |
Unblock IP Addresses | Unblocks IP addresses using the IP Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_ip Remediation |
Block Applications | Blocks or unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
block_app Containment |
Unblock Applications | Unblocks applications using the Application Block Policy Name that you have specified while configuring the Sophos UTM Firewall connector. See the Configuration parameters section. |
unblock_app Remediation |
Get List of Blocked URLs | Retrieves a list of URLs that are blocked. | list_blocked_url Investigation |
Get List of Blocked IPs | Retrieves a list of IP addresses that are blocked. | list_blocked_ip Investigation |
Get List of Blocked Application Names | Retrieves a list of application names that are blocked. | list_blocked_app Investigation |
Check Policies | Checks whether or not the policies you have mentioned in the Configuration parameters section are valid. | check_policy Investigation |
Parameter | Description |
---|---|
URLs | URLs that you want to block. URLs must be in the list format. For example, ["www.example.com", "www.example1.com"] |
The JSON output contains a status message of whether or not the URLs are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
URLs | URLs that you want to unblock. URLs must be in the list format. For example, ["www.example.com", "www.example1.com"] |
The JSON output contains a status message of whether or not the URLs are successfully unblocked.
Following image displays a sample output:
Parameter | Description |
---|---|
IPs | IP addresses that you want to block. IP addresses must be in the list format. For example, ["X..X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
IPs | IP addresses that you want to unblock. IP addresses must be in the list format. For example, ["X..X.X.X", "Y.Y.Y.Y"] |
The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to block. Application names must be in the list format. For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Application Name List | List of application names that you want to unblock. Application names must be in the list format. For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"] |
The JSON output contains a status message of whether or not the applications are successfully unblocked.
Following image displays a sample output:
None
The JSON output contains a list of blocked URLs.
Following image displays a sample output:
None
The JSON output contains a list of blocked IP addresses.
Following image displays a sample output:
None
The JSON output contains a list of names of blocked applications.
Following image displays a sample output:
None
The JSON output contains a status message of whether or not the given policies are valid. This operation checks the policies you have mentioned in the Configuration parameters section.
Following image displays a sample output:
The Sample - Sophos UTM-9 - 1.0.0
playbook collection comes bundled with the Sophos UTM connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos UTM connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.