Avanet’s Sophos Firewall Threat Feeds provide continuous threat intelligence feeds that automatically import Indicators of Compromise (IoCs) – such as malicious IP addresses, domains or URLs – into your Sophos Firewall and block them immediately. The feeds not only contain current community and OSINT data, but also commercially purchased information, results from our honeypots and anonymized attack, error and anomaly logs from numerous Sophos firewalls managed by us. In this way, malware domains, botnet C&CServer and phishing sites are proactively filtered out. This increases the security of your infrastructure and at the same time noticeably reduces unwanted traffic on the firewall.

What are threat feeds?

Threat feeds are lists of indicators of compromise (IoCs), such as malicious IP addresses, domains and URLs. These feeds come from external sources, such as security organizations, industry consortiums or open source communities, and allow your Sophos Firewall to automatically block traffic from known threats. Integrating these feeds into your firewall provides a proactive defense that stops attacks before they reach your network. In Sophos Firewall v21, this feature has been enhanced with support for third-party feeds implemented via the Active Threat Response framework.

The advantages are clear:

• Proactive protection: block threats before damage occurs.
• Flexibility: Use feeds from different providers, tailored to individual requirements.
• Automation: The firewall blocks automatically; manual intervention is no longer necessary.

Requirements for threat feeds

To be able to use the Sophos Firewall Threat Feeds function, you need the bundle license for the Xstream Protection bundle license for Sophos Firewall. This bundle includes advanced security features that enable the firewall to efficiently process and respond to threat information. Without this bundle, the use of third-party feeds is not possible, as it provides the necessary modules for processing the IoCs.

Standard vs. Premium Threat Feed – by Avanet

We understand how important reliable and up-to-date threat information is for your network security. That’s why we offer two carefully curated threat feed options specifically optimized for Sophos Firewalls.

Our feeds are compiled from a variety of reputable sources to ensure comprehensive and reliable threat detection. The Standard Feed offers a free way to improve your security, while the Premium Feed, with its higher update frequency and larger number of feeds, is ideal for organizations that require maximum security.

The following table compares the two options in detail:

Feeds	Basic	Standard	Premium	Ultimate
💰 Price	free of charge	128 € year / firewall Free for subscription customers*	256 € per year / firewall	2048 € per year / firewall
🔁 Update interval	every 24 h	every 4 h	1 h	20 min
🛡️ IPv4 feeds	3 lists (≈ 37,000 IPs)	10 lists (≈ 75,000 IPs)	30+ lists (≈ 90’000 IPs)	planned in Q4 2025
🌐 Domain / URL feeds	2 curated lists	6 curated lists	planned in Q4 2025	planned in Q4 2025
🔓 Access	Request list	Request list	Contact us	Contact us

* Avanet customers with an active Sophos Firewall subscription receive the standard feed free of charge and a 20% discount on the premium feed.

To summarize: The Standard Feed offers solid basic protection with minimal administration – ideal for entry-level or smaller environments. The Premium Feed is aimed at demanding environments that require comprehensive protection: Here, significantly more threat sources are subscribed to and updated much more frequently to block newly emerging IoCs in near real time.

The integration of our Sophos Firewall threat feeds is straightforward and user-friendly. Our feeds are fully compatible with the third-party threat feed function of Sophos Firewall and can be easily added via the firewall’s web interface. We provide you with the required feed URLs and detailed configuration instructions to make the process as smooth as possible.

Avanet Firewall Network

Part of the Premium Feed is the data from our firewall network, which is distributed worldwide.

Many tools easily detect brute force attacks on individual IP addresses, but fail in the case of distributed attacks by botnets. In such cases, each host controlled by the attacker only makes a few failed login attempts at a low frequency and thus escapes detection and blocking.

Some botnets include hundreds of thousands of infected hosts, allowing cybercriminals to carry out massive brute force attacks without being blocked.

Thanks to our network, we collect logs centrally, detect suspicious activity at an early stage and can quickly block attacking IP addresses. This results in a constantly updated threat intelligence feed with IPs that have become conspicuous on several systems. By merging and continuously feeding this data into our threat intelligence feed, IP addresses that are specifically attacking the infrastructure are identified and automatically blocked.

How can I add a threat feed?

1. Open menu Protect → Active threat response → Third-party threat feeds → Add
2. Enter basic data
   • Name: avanet-basic-ipv4
   • Description: Avanet Feed – Free Version
3. Define indicator type & rules
   • Indicator type: IPv4 address, domain or URL
   • Action: Block
4. Store feed URL
   • Insert the appropriate address from the Avanet feed list in the External URL field.
5. Set polling interval
   • Polling interval: 24 h (for the free version)
     • A shorter line does not help, we only update the standard feed every 24 hours.
6. Configure authentication (optional)
   • Authorization: None
7. Test & save connection
   • Execute test connection → Save.

For step-by-step setup instructions, we recommend the Sophos documentation.

Conclusion

With Sophos Firewall threat feeds, you can take network security to the next level. Our curated feeds eliminate the complexity of feed management. Whether you choose the free standard feed or the comprehensive premium feed, both provide reliable, regularly updated threat information and protect your network.

Request Threat Feed