Avanet’s Sophos Firewall Threat Feeds provide continuous threat intelligence feeds that automatically import Indicators of Compromise (IoCs) – such as malicious IP addresses, domains or URLs – into your Sophos Firewall and block them immediately. The feeds not only contain current community and OSINT data, but also commercially purchased information, results from our honeypots and anonymized attack, error and anomaly logs from numerous Sophos firewalls managed by us. In this way, malware domains, botnet C&CServer and phishing sites are proactively filtered out. This increases the security of your infrastructure and at the same time noticeably reduces unwanted traffic on the firewall.

What are threat feeds?

Threat feeds are lists of indicators of compromise (IoCs), such as malicious IP addresses, domains and URLs. These feeds come from external sources, such as security organizations, industry consortiums or open source communities, and allow your Sophos Firewall to automatically block traffic from known threats. Integrating these feeds into your firewall provides a proactive defense that stops attacks before they reach your network. In Sophos Firewall v21, this feature has been enhanced with support for third-party feeds implemented via the Active Threat Response framework.

The advantages are clear:

• Proactive protection: block threats before damage occurs.
• Flexibility: Use feeds from different providers, tailored to individual requirements.
• Automation: The firewall blocks automatically; manual intervention is no longer necessary.

Requirements for threat feeds

To be able to use the Sophos Firewall Threat Feeds function, you need the bundle license for the Xstream Protection bundle license for Sophos Firewall. This bundle includes advanced security features that enable the firewall to efficiently process and respond to threat information. Without this bundle, the use of third-party feeds is not possible, as it provides the necessary modules for processing the IoCs.

From the Basic to the Ultimate Threat Feed – by Avanet

We understand how important reliable and up-to-date threat information is for your network security. That’s why we offer two carefully curated threat feed options specifically optimized for Sophos Firewalls.

Our feeds are compiled from a variety of reputable sources to ensure comprehensive and reliable threat detection. The standard feed offers a good opportunity to improve security. The Premium feed is characterized by a higher update frequency and a larger number of data sources and is particularly suitable for companies that require a high level of security. The Ultimate feed also provides the latest and all available data and therefore offers the maximum possible protection.

Sophos Firewall Threat Feeds can take network security to the next level. Our curated feeds take the complexity out of feed management. Whether you choose the free standard feed or the comprehensive premium feed, both provide reliable, regularly updated threat information and protect your network.

Compare threat feeds – security for your needs

Avanet Firewall Network

Part of the Premium Feed is the data from our firewall network, which is distributed worldwide.

Many tools easily detect brute force attacks on individual IP addresses, but fail in the case of distributed attacks by botnets. In such cases, each host controlled by the attacker only makes a few failed login attempts at a low frequency and thus escapes detection and blocking.

Some botnets include hundreds of thousands of infected hosts, allowing cybercriminals to carry out massive brute force attacks without being blocked.

Thanks to our network, we collect logs centrally, detect suspicious activity at an early stage and can quickly block attacking IP addresses. This results in a constantly updated threat intelligence feed with IPs that have become conspicuous on several systems. By merging and continuously feeding this data into our threat intelligence feed, IP addresses that are specifically attacking the infrastructure are identified and automatically blocked.

Sophos Firewall Threat Feed Setup?

The integration of our Sophos Firewall threat feeds is straightforward and can be done in a few minutes. All feeds are fully compatible with Sophos Firewall’s third-party threat feed feature and can be added via the firewall’s web interface as follows:

1. Open menu Protect → Active threat response → Third-party threat feeds → Add
2. Enter basic data
   • Name: avanet-basic-ipv4
   • Description: Avanet Feed – Free Version
3. Define indicator type & rules
   • Indicator type: IPv4 address, domain or URL
   • Action: Block
4. Store feed URL
   • Insert the appropriate address from the Avanet feed list in the External URL field.
5. Set polling interval
   • Polling interval: 24 h (for the free version)
     • A shorter line does not help, we only update the standard feed every 24 hours.
6. Configure authentication (optional)
   • Authorization: None
7. Test & save connection
   • Execute test connection → Save.

For step-by-step setup instructions, we recommend the Sophos documentation.

---

---