Skip to content
Avanet

Operating Sophos Firewall NDR and Active Threat Response

Sophos Firewall

Sophos Firewall can provide additional insights into suspicious network traffic with NDR Essentials and NDR Active Threat Intelligence. This is useful when you want to not only block attacks but also detect, investigate, and further process them in Sophos Central, XDR, MDR, or a SIEM.

It’s important to set expectations: NDR on the firewall is not a magic switch that automatically solves every problem. The function requires appropriate licenses, visible traffic, activated log types, consciously selected firewall rules, and a process to evaluate hits. Without this operational part, only additional logs are generated.

For classic indicators of compromise like malicious IP addresses, domains, or URLs, first set up Sophos Firewall Threat Feeds and operate them securely. This article focuses on NDR Essentials, NDR Active Threat Intelligence, and operational evaluation.

Clearly distinguish the terms

Sophos uses several similar names. For admins, distinguishing them is important because each function works differently.

FunctionWhat happensTypical benefit
NDR EssentialsThe firewall analyzes selected flow data and detects IoCs like IP addresses or domains.Network-based insights without a separate sensor VM.
NDR Active Threat IntelligenceThe firewall uses curated Taegis-NDR patterns, detects suspicious traffic, logs events, and sends them to the Sophos Data Lake.High-signal detection for XDR, MDR, or Security Operations.
Sophos Central NDRSeparate NDR product with its own sensor VM, typically via SPAN, Mirror, or TAP.Broader view of east-west traffic, unmanaged devices, and internal network movements.
Threat FeedsIoC lists like IPs, domains, or URLs are checked against traffic.Block or monitor known malicious targets or sources.

NDR Essentials and NDR Active Threat Intelligence thus extend the firewall’s view. Sophos Central NDR is a separate architecture with a separate sensor. Third-party Threat Feeds are another component: They work indicator-based and can directly block depending on the action.

When deployment is sensible

NDR and Active Threat Response are particularly useful when a firewall is not just operated as a packet filter but is part of a detection-and-response process.

Typical scenarios:

  • Client internet traffic should be checked for suspicious targets or patterns.
  • Servers or DMZ systems should provide additional detection signals.
  • XDR, MDR, or SOC should include firewall events in investigations.
  • Multiple firewalls should be centrally evaluated in Sophos Central or a SIEM.
  • There is already a process for alarms, tickets, false positives, and escalation.

Deployment is less sensible if no one checks the events, logs are not forwarded, or relevant firewall rules are not adjusted. In that case, Central Firewall Reporting or Send Sophos Firewall Syslog to SIEM is more important first.

Prerequisites

Before activation, these points should be checked:

  • The firewall runs on a supported SFOS version.
  • The Xstream Protection Bundle is active.
  • The firewall is registered in Sophos Central if Central Reporting, XDR, or MDR are to be used.
  • Send reports and logs to Sophos Central is active if detections are to be visible in Sophos Central.
  • The relevant log types are activated under System services > Log settings.
  • IPS logging is active for NDR Active Threat Intelligence.
  • Active-Threat-Response logging is active for NDR Essentials.
  • There is a defined owner for review, tuning, exceptions, and escalation.

Before activation, platform limits must be checked. NDR Essentials does not support Active-Active HA deployment. NDR Active Threat Intelligence is not supported on XGS 87, XGS 87w, XGS 88, and XGS 88w. In HA environments, Understand Sophos Firewall HA Cluster Variants should be checked first.

Configure NDR Essentials

NDR Essentials is configured in the Protect > Active threat response or Active Threat Response > NDR Essentials and Active Threat Intelligence area. The exact designation depends on the SFOS version.

Basic procedure:

  1. Activate NDR Essentials.
  2. Add relevant interfaces.
  3. Choose data center location for analysis.
  4. Set minimum threat score consciously.
  5. Check action. NDR Essentials initially detects and logs.
  6. Open System services > Log settings.
  7. Activate logging for Active threat response.
  8. Save and check Log Viewer, Reports, or Central after a few minutes.

When selecting interfaces, do not choose everything indiscriminately. Interfaces through which relevant client, server, or DMZ traffic runs are sensible. WAN interfaces are not the right place for this NDR evaluation; planning should focus on LAN, DMZ, and custom zones. Unsupported interface types like RED or XFRM interfaces should also be considered before rollout.

If no interfaces are selected, NDR Essentials will not detect new IoCs from the traffic. However, the firewall can still work with already detected IoCs. This is easy to overlook in operation.

Configure NDR Active Threat Intelligence

NDR Active Threat Intelligence uses curated Taegis-NDR detection patterns. The firewall detects and logs matching events and forwards them to the Sophos Data Lake. These signals can then be investigated in Sophos Central, XDR, MDR, or a SOC context.

Basic procedure:

  1. Open Active Threat Response > NDR Essentials and Active Threat Intelligence.
  2. Activate NDR Active threat intelligence.
  3. Choose minimum severity level.
  4. Check Action. The action is set to Log threats.
  5. Open System services > Log settings.
  6. Activate IPS logging.
  7. Save.
  8. Then open the relevant firewall rules.
  9. Under Other security features, activate the option Scan with NDR Active threat intelligence.
  10. Save changes and validate with defined traffic.

The last point is crucial. Global activation alone is not enough. NDR Active Threat Intelligence must be activated in each firewall rule whose traffic is to be analyzed.

Which rules to select first

A good rollout does not start on all rules at once. A controlled pilot with well-understood traffic is better.

Sensible starting points:

  • Client networks with internet access.
  • Server networks with outgoing internet access.
  • DMZ rules with published services.
  • Rules for particularly critical internal segments.
  • Rules with already activated IPS, Web, or TLS Inspection concept.

Rules without clear logging, without an owner, or with very broad unclassified traffic are not a good start. The rule base should be cleaned up first. For rule analysis and matching, Test firewall rule with Log Viewer, Policy Test, and Packet Capture is suitable.

Visibility and TLS Inspection

NDR signals are only as good as the firewall’s visibility. If traffic is encrypted and the firewall only sees the destination IP or SNI, some patterns remain invisible. If Web or TLS Inspection is properly planned, the firewall can check more context.

This does not mean that TLS Inspection should be activated everywhere immediately. TLS Inspection is its own operational project with certificates, exceptions, data protection, performance, and support effort. For a planned rollout, Properly introduce Sophos Firewall TLS Inspection is suitable.

QUIC and HTTP/3 can also influence web and inspection concepts. If browser traffic bypasses classic HTTPS inspection paths, Properly block Sophos Firewall QUIC and HTTP/3 should be checked.

Logs and evaluation

Without log evaluation, NDR is hardly useful. Depending on the function, different log areas are relevant.

AreaWhere to check
NDR EssentialsActive threat response logs, Threat indicators, Central Reporting, or SIEM
NDR Active Threat IntelligenceIPS logs, Log Viewer filter Category is NDR Active threat intelligence, Central Firewall Reporting
XDR/MDR evaluationSophos Central Threat Analysis Center, Detections, or Cases
Long-term correlationSyslog, SIEM, SOC, or MDR platform

For Sophos Central, the firewall must send logs and reports to Central. The procedure is described in Activate and operate Sophos Firewall Central Reporting. For a custom SIEM, the appropriate log type must be forwarded via Syslog and parsed in the target system. Simply activating the function does not prove that detections can be found later.

Checkpoints after activation:

  • Do local log entries appear in the Log Viewer?
  • Are Active-Threat-Response or IPS logs sent to Central?
  • Do the logs arrive in the SIEM?
  • Are fields like Source, Destination, Firewall, Rule ID, and Category correctly recognized?
  • Is there a dashboard or search for NDR/ATR hits?
  • Is it clear who evaluates hits?

What should happen when a hit occurs

A hit is initially an investigation signal. Not every hit is automatically a confirmed attack, but every relevant hit needs a process.

Minimal process:

  1. Record source IP, destination IP, user, rule, and time.
  2. Check in the Log Viewer which rule and module were involved.
  3. Search in Central, XDR, MDR, or SIEM for further events of the same host.
  4. Correlate endpoint, DNS, web, and authentication logs.
  5. Decide whether isolation, firewall block, threat feed exception, or further analysis is necessary.
  6. Document the result.

For repeated false positives, a broad exception should not be set immediately. A narrow exception with reason, ticket, and review date is better. Exceptions in Active Threat Response can remove protection and therefore belong in a controlled process.

Typical mistakes

  • NDR Active Threat Intelligence is activated globally but not enabled in the firewall rules.
  • NDR Essentials is activated, but no suitable interfaces are selected.
  • IPS or Active-Threat-Response logging is not active.
  • Central Reporting or Syslog is not set up, although central evaluation is expected.
  • Detections are generated, but no one checks them.
  • Severity or Threat Score is set too sensitively, creating unnecessary noise.
  • Exceptions are set too broadly.
  • Active-Active HA or small XGS models are planned, although the function is not supported there.
  • TLS Inspection is treated as a side issue instead of being properly planned.

Checklist

  • SFOS version and license checked.
  • Supported appliance or platform confirmed.
  • HA mode checked.
  • Sophos Central registration checked if Central Reporting, XDR, or MDR is used.
  • Relevant log types activated under System services > Log settings.
  • NDR Essentials interfaces consciously selected.
  • Data center location and minimum threat score documented.
  • NDR Active Threat Intelligence activated.
  • Relevant firewall rules marked with Scan with NDR Active threat intelligence.
  • Log Viewer, Central Reporting, or SIEM checked for hits.
  • Owner, alerting, false-positive process, and review interval documented.

Frequently Asked Questions

Is NDR Essentials the same as NDR Active Threat Intelligence?

No. NDR Essentials analyzes selected firewall traffic flows and detects IoCs like IP addresses or domains. NDR Active Threat Intelligence uses curated Taegis-NDR patterns, logs suspicious events, and sends them to the Sophos Data Lake.

Does NDR Active Threat Intelligence block automatically?

The function is primarily designed for detection and logging. The action is set to Log threats. Hits should be evaluated in logs, Central, XDR, MDR, or SIEM and then handled operationally.

Why are no NDR Active Threat Intelligence hits visible?

Often the function is globally active but not enabled in the appropriate firewall rules. Additionally, IPS logging must be active, and the affected traffic must pass through a rule where Scan with NDR Active threat intelligence is activated.

Do you still need third-party threat feeds despite NDR?

Yes, in many environments the functions complement each other. NDR provides detection signals and pattern recognition. Third-party threat feeds can monitor or block known malicious IPs, domains, or URLs based on external lists.

Does firewall NDR replace a SIEM or MDR?

No. Firewall NDR provides additional signals. For long-term correlation, alerting, case handling, and incident response, Central Reporting, XDR, MDR, SIEM, or a clear internal process is still needed.