Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Sophos XG Firewall provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.

This document provides information about the Sophos XG connector, which facilitates automated interactions, with a Sophos XG server using FortiSOAR™ playbooks. Add the Sophos XG connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or getting a list of blocked IP addresses, URLs, or applications.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Sophos XG Firewall Versions: 17.0.0.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Sophos XG server to which you will connect and perform the automated operations and credentials to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
  • To block or unblock IP addresses, URLs, or applications, you need to add the necessary configuration to the Sophos XG Firewall. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.

Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall

  1. Log on to Sophos XG Firewall with the necessary credentials.
  2. To block or unblock a URL, create a Web Policy in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Create Web Policy 

    For example, in the above image, we have created a Web Policy named Test-Web and created a group named Blocked URLs for Default Policy. Then, add the Blocked URLs for Default Policy group to the Test-Web policy, and set the Action column to Block HTTP and Block HTTPS.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your URL Group Name configuration parameter. In our example, use Blocked URLs for Default Policy in the URL Group Name field.
  3. To block or unblock an IP Address, you must add the IP Host in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Add IP Host 

    For example, in the above image, we have named the list of IP Hosts as Block_Destination_IP_List.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your IP Host Name configuration parameter. In our example, use Block_Destination_IP_List in the IP Host Name field.
  4. To block or unblock an application, you must create an application filter in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Create Application Filter

    For example, in the above image, we have created an application filter named Test-App.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your Application Filter Name configuration parameter. In our example, use Test-App in the Application Filter Name field.
  5. Add the name of the Web Policy and the name of the Application Filter in the Advance section of Firewall Rules in Sophos XG, as shown in the following image:

    Sophos XG Firewall: Advance Section

    As shown in the above image, we have chosen Test-Web from the Web Policy drop-down list and Test-App from the Application Control drop-down list, based on our example.
  6. Add a new firewall rule for block IP, as shown in the following image:

    Sophos XG Firewall: Add Firewall Rule
     
  7. To allow API requests, you require to add your IP to Sophos XG Firewall. Navigate to System > Backup & Firmware > API to open the API Configuration page and add your IP address as shown in the following image:

    Sophos XG Firewall: API Configuration Page
     

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Sophos XG connector and click Configure to configure the following parameters:

 

Parameter Description
Hostname IP address or Hostname of the Sophos XG Firewall server.
Port Port number used for connecting to the Sophos XG Firewall server.
Username Username to access the Sophos XG Firewall server.
Password Password to access the Sophos XG Firewall server.
URL Block Policy Name(URL Group Name) Name of the URL Group that you have specified in Sophos XG Firewall for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
IP Block Policy Name(IP Host Name) List of the IP Hosts that you have specified in Sophos XG Firewall for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
Application Block Policy Name(Application Filter Name) Name of the application filter that you have specified in Sophos XG Firewall. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Block URLs Blocks URLs using the URL Group Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_url
Containment
Unblock URLs Unblocks URLs using the URL Group Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_url
Remediation
Block IP Addresses Blocks IP addresses using the IP Host Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_ip
Containment
Unblock IP Addresses Unblocks IP addresses using the IP Host Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_ip
Remediation
Block Applications Blocks or unblocks applications using the Application Filter Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_app
Containment
Unblock Applications Unblocks applications using the Application Filter Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_app
Remediation
Get List of Blocked URLs Retrieves a list of URLs that are blocked. list_blocked_url  
Investigation
Get List of Blocked IPs Retrieves a list of IP addresses that are blocked. list_blocked_ip  
Investigation
Get List of Blocked Application Names Retrieves a list of application names that are blocked. list_blocked_app
Investigation
Check Policies Checks whether or not the policies you have mentioned in the Configuration parameters section are valid. check_policy
Investigation

 

 

operation: Block URLs

Input parameters

 

Parameter Description
URLs URLs that you want to block. URLs must be in the list format.
For example, ["www.abc.com", "www.test.com"]

 

Output

The JSON output contains a status message of whether or not the URLs are successfully blocked.

Following image displays a sample output:
 

Sample output of the Block URLs operation

 

operation: Unblock URLs

Input parameters

 

Parameter Description
URLs URLs that you want to unblock. URLs must be in the list format.
For example, ["www.abc.com", "www.test.com"]

 

Output

The JSON output contains a status message of whether or not the URLs are successfully unblocked.

Following image displays a sample output:
 

Sample output of the Unblock URLs operation

 

operation: Block IP Addresses

Input parameters

 

Parameter Description
IPs IP addresses that you want to block. IP addresses must be in the list format.
For example, ["X.X.X.X", "Y.Y.Y.Y"]

 

Output

The JSON output contains a status message of whether or not the IP addresses are successfully blocked.

Following image displays a sample output:

 

Sample output of the Block IP Addresses operation

 

operation: Unblock IP Addresses

Input parameters

 

Parameter Description
IPs IP addresses that you want to unblock. IP addresses must be in the list format.
For example, ["X.X.X.X", "Y.Y.Y.Y"]

 

Output

The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.

Following image displays a sample output:

 

Sample output of the Unblock IP Addresses operation

 

operation: Block Applications

Input parameters

 

Parameter Description
Application Name List List of application names that you want to block. Application names must be in the list format.
For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"]

 

Output

The JSON output contains a status message of whether or not the applications are successfully blocked.

Following image displays a sample output:

 

Sample output of the Block Applications operation

 

operation: Unblock Applications

Input parameters

 

Parameter Description
Application Name List List of application names that you want to unblock. Application names must be in the list format.
For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"]

 

Output

The JSON output contains a status message of whether or not the applications are successfully unblocked.

Following image displays a sample output:

 

Sample output of the Unblock Applications operation

 

operation: Get List of Blocked URLs

Input parameters

None

Output

The JSON output contains a list of blocked URLs.

Following image displays a sample output:

 

Sample output of the Get List of Blocked URLs operation

 

operation: Get List of Blocked IPs

Input parameters

None

Output

The JSON output contains a list of blocked IP addresses.

Following image displays a sample output:

 

Sample output of the Get List of Blocked IPs operation

 

operation: Get List of Blocked Application Names

Input parameters

None

Output

The JSON output contains a list of names of blocked applications.

Following image displays a sample output:

 

Sample output of the Get List of Blocked Application Names operation

 

operation: Check Policies

Input parameters

None

Output

The JSON output contains a status message of whether or not the given policies are valid. This operation checks the policies you have mentioned in the Configuration parameters section.

Following image displays a sample output:
 

Sample output of the Check Policies operation
 

Included playbooks

The Sample - Sophos XG - 1.0.0 playbook collection comes bundled with the Sophos XG connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos XG connector.

  • Block Applications
  • Unblock Applications
  • Block URLs
  • Unblock URLs
  • Block IP Addresses
  • Unblock IP Addresses
  • Get List of Blocked Application Names
  • Get List of Blocked IPs
  • Get List of Blocked URLs
  • Check Policies

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

 

 

 

About the connector

Sophos XG Firewall provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.

This document provides information about the Sophos XG connector, which facilitates automated interactions, with a Sophos XG server using FortiSOAR™ playbooks. Add the Sophos XG connector as a step in FortiSOAR™ playbooks and perform automated operations, such as blocking or unblocking IP addresses, URLs, or applications, or getting a list of blocked IP addresses, URLs, or applications.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Sophos XG Firewall Versions: 17.0.0.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall

  1. Log on to Sophos XG Firewall with the necessary credentials.
  2. To block or unblock a URL, create a Web Policy in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Create Web Policy 

    For example, in the above image, we have created a Web Policy named Test-Web and created a group named Blocked URLs for Default Policy. Then, add the Blocked URLs for Default Policy group to the Test-Web policy, and set the Action column to Block HTTP and Block HTTPS.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your URL Group Name configuration parameter. In our example, use Blocked URLs for Default Policy in the URL Group Name field.
  3. To block or unblock an IP Address, you must add the IP Host in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Add IP Host 

    For example, in the above image, we have named the list of IP Hosts as Block_Destination_IP_List.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your IP Host Name configuration parameter. In our example, use Block_Destination_IP_List in the IP Host Name field.
  4. To block or unblock an application, you must create an application filter in Sophos XG Firewall as shown in the following image:

    Sophos XG Firewall: Create Application Filter

    For example, in the above image, we have created an application filter named Test-App.
    When you are configuring your Sophos XG connector in FortiSOAR™, you must use the name that you have specified in this step as your Application Filter Name configuration parameter. In our example, use Test-App in the Application Filter Name field.
  5. Add the name of the Web Policy and the name of the Application Filter in the Advance section of Firewall Rules in Sophos XG, as shown in the following image:

    Sophos XG Firewall: Advance Section

    As shown in the above image, we have chosen Test-Web from the Web Policy drop-down list and Test-App from the Application Control drop-down list, based on our example.
  6. Add a new firewall rule for block IP, as shown in the following image:

    Sophos XG Firewall: Add Firewall Rule
     
  7. To allow API requests, you require to add your IP to Sophos XG Firewall. Navigate to System > Backup & Firmware > API to open the API Configuration page and add your IP address as shown in the following image:

    Sophos XG Firewall: API Configuration Page
     

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Sophos XG connector and click Configure to configure the following parameters:

 

Parameter Description
Hostname IP address or Hostname of the Sophos XG Firewall server.
Port Port number used for connecting to the Sophos XG Firewall server.
Username Username to access the Sophos XG Firewall server.
Password Password to access the Sophos XG Firewall server.
URL Block Policy Name(URL Group Name) Name of the URL Group that you have specified in Sophos XG Firewall for blocking or unblocking URLs. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
IP Block Policy Name(IP Host Name) List of the IP Hosts that you have specified in Sophos XG Firewall for blocking or unblocking IP addresses. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
Application Block Policy Name(Application Filter Name) Name of the application filter that you have specified in Sophos XG Firewall. See the Blocking or Unblocking IP addresses, URLs, or applications in Sophos XG Firewall section.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Block URLs Blocks URLs using the URL Group Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_url
Containment
Unblock URLs Unblocks URLs using the URL Group Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_url
Remediation
Block IP Addresses Blocks IP addresses using the IP Host Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_ip
Containment
Unblock IP Addresses Unblocks IP addresses using the IP Host Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_ip
Remediation
Block Applications Blocks or unblocks applications using the Application Filter Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. block_app
Containment
Unblock Applications Unblocks applications using the Application Filter Name that you have specified while configuring the Sophos XG Firewall connector. See the Configuration parameters section. unblock_app
Remediation
Get List of Blocked URLs Retrieves a list of URLs that are blocked. list_blocked_url  
Investigation
Get List of Blocked IPs Retrieves a list of IP addresses that are blocked. list_blocked_ip  
Investigation
Get List of Blocked Application Names Retrieves a list of application names that are blocked. list_blocked_app
Investigation
Check Policies Checks whether or not the policies you have mentioned in the Configuration parameters section are valid. check_policy
Investigation

 

 

operation: Block URLs

Input parameters

 

Parameter Description
URLs URLs that you want to block. URLs must be in the list format.
For example, ["www.abc.com", "www.test.com"]

 

Output

The JSON output contains a status message of whether or not the URLs are successfully blocked.

Following image displays a sample output:
 

Sample output of the Block URLs operation

 

operation: Unblock URLs

Input parameters

 

Parameter Description
URLs URLs that you want to unblock. URLs must be in the list format.
For example, ["www.abc.com", "www.test.com"]

 

Output

The JSON output contains a status message of whether or not the URLs are successfully unblocked.

Following image displays a sample output:
 

Sample output of the Unblock URLs operation

 

operation: Block IP Addresses

Input parameters

 

Parameter Description
IPs IP addresses that you want to block. IP addresses must be in the list format.
For example, ["X.X.X.X", "Y.Y.Y.Y"]

 

Output

The JSON output contains a status message of whether or not the IP addresses are successfully blocked.

Following image displays a sample output:

 

Sample output of the Block IP Addresses operation

 

operation: Unblock IP Addresses

Input parameters

 

Parameter Description
IPs IP addresses that you want to unblock. IP addresses must be in the list format.
For example, ["X.X.X.X", "Y.Y.Y.Y"]

 

Output

The JSON output contains a status message of whether or not the IP addresses are successfully unblocked.

Following image displays a sample output:

 

Sample output of the Unblock IP Addresses operation

 

operation: Block Applications

Input parameters

 

Parameter Description
Application Name List List of application names that you want to block. Application names must be in the list format.
For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"]

 

Output

The JSON output contains a status message of whether or not the applications are successfully blocked.

Following image displays a sample output:

 

Sample output of the Block Applications operation

 

operation: Unblock Applications

Input parameters

 

Parameter Description
Application Name List List of application names that you want to unblock. Application names must be in the list format.
For example, ["TeamViewer FileTransfer", "TeamViewer Conferencing"]

 

Output

The JSON output contains a status message of whether or not the applications are successfully unblocked.

Following image displays a sample output:

 

Sample output of the Unblock Applications operation

 

operation: Get List of Blocked URLs

Input parameters

None

Output

The JSON output contains a list of blocked URLs.

Following image displays a sample output:

 

Sample output of the Get List of Blocked URLs operation

 

operation: Get List of Blocked IPs

Input parameters

None

Output

The JSON output contains a list of blocked IP addresses.

Following image displays a sample output:

 

Sample output of the Get List of Blocked IPs operation

 

operation: Get List of Blocked Application Names

Input parameters

None

Output

The JSON output contains a list of names of blocked applications.

Following image displays a sample output:

 

Sample output of the Get List of Blocked Application Names operation

 

operation: Check Policies

Input parameters

None

Output

The JSON output contains a status message of whether or not the given policies are valid. This operation checks the policies you have mentioned in the Configuration parameters section.

Following image displays a sample output:
 

Sample output of the Check Policies operation
 

Included playbooks

The Sample - Sophos XG - 1.0.0 playbook collection comes bundled with the Sophos XG connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Sophos XG connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.