Sophos Firewall Threat Feeds
Avanet’s Sophos Firewall Threat Feeds provide continuous threat intelligence feeds that automatically import Indicators of Compromise (IoCs) – such as malicious IP addresses, domains or URLs – into your Sophos Firewall and block them immediately. The feeds not only contain current community and OSINT data, but also commercially purchased information, results from our honeypots and anonymized attack, error and anomaly logs from numerous Sophos firewalls managed by us. In this way, malware domains, botnet C&CServer and phishing sites are proactively filtered out. This increases the security of your infrastructure and at the same time noticeably reduces unwanted traffic on the firewall.
Topics
What are threat feeds?
Threat feeds are lists of indicators of compromise (IoCs), such as malicious IP addresses, domains and URLs. These feeds come from external sources, such as security organizations, industry consortiums or open source communities, and allow your Sophos Firewall to automatically block traffic from known threats. Integrating these feeds into your firewall provides a proactive defense that stops attacks before they reach your network. In Sophos Firewall v21, this feature has been enhanced with support for third-party feeds implemented via the Active Threat Response framework.
The advantages are clear:
- Proactive protection: block threats before damage occurs.
- Flexibility: Use feeds from different providers, tailored to individual requirements.
- Automation: The firewall blocks automatically; manual intervention is no longer necessary.
Requirements for threat feeds
To be able to use the Sophos Firewall Threat Feeds function, you need the bundle license for the Xstream Protection bundle license for Sophos Firewall. This bundle includes advanced security features that enable the firewall to efficiently process and respond to threat information. Without this bundle, the use of third-party feeds is not possible, as it provides the necessary modules for processing the IoCs.
From the Basic to the Ultimate Threat Feed – by Avanet
We understand how important reliable and up-to-date threat information is for your network security. That’s why we offer two carefully curated threat feed options specifically optimized for Sophos Firewalls.
Our feeds are compiled from a variety of reputable sources to ensure comprehensive and reliable threat detection. The standard feed offers a good opportunity to improve security. The Premium feed is characterized by a higher update frequency and a larger number of data sources and is particularly suitable for companies that require a high level of security. The Ultimate feed also provides the latest and all available data and therefore offers the maximum possible protection.
Sophos Firewall Threat Feeds can take network security to the next level. Our curated feeds take the complexity out of feed management. Whether you choose the free standard feed or the comprehensive premium feed, both provide reliable, regularly updated threat information and protect your network.
Compare threat feeds – security for your needs
Basic
0 CHF
Update interval: every 24 h
IPv4 feeds: ≈ 30,000 IPs
Standard
179 CHF
Update interval: every 6 h
IPv4 feeds: ≈ 45,000 IPs
Support
100% discount for Sophos Firewall subscription customers*.
Premium
349 CHF
Update interval: every 1 h
IPv4 feeds: ≈ 120,000 IPs
Domain / URL feeds
Support
14% discount for Sophos Firewall subscription customers*.
Ultimate
1999 CHF
Update interval: every 15 min
IPv4 feeds: ≈ 180,000 IPs
Domain / URL feeds
Support
10% discount for Sophos Firewall subscription customers*.
* The discount applies to all existing Avanet customers with an active Sophos Firewall subscription.
Avanet Firewall Network
Part of the Premium Feed is the data from our firewall network, which is distributed worldwide.

Many tools easily detect brute force attacks on individual IP addresses, but fail in the case of distributed attacks by botnets. In such cases, each host controlled by the attacker only makes a few failed login attempts at a low frequency and thus escapes detection and blocking.
Some botnets include hundreds of thousands of infected hosts, allowing cybercriminals to carry out massive brute force attacks without being blocked.
Thanks to our network, we collect logs centrally, detect suspicious activity at an early stage and can quickly block attacking IP addresses. This results in a constantly updated threat intelligence feed with IPs that have become conspicuous on several systems. By merging and continuously feeding this data into our threat intelligence feed, IP addresses that are specifically attacking the infrastructure are identified and automatically blocked.
Sophos Firewall Threat Feed Setup?
The integration of our Sophos Firewall threat feeds is straightforward and can be done in a few minutes. All feeds are fully compatible with Sophos Firewall’s third-party threat feed feature and can be added via the firewall’s web interface as follows:
- Open menu Protect → Active threat response → Third-party threat feeds → Add
- Enter basic data
- Name: avanet-basic-ipv4
- Description: Avanet Feed – Free Version
- Define indicator type & rules
- Indicator type: IPv4 address, domain or URL
- Action: Block
- Store feed URL
- Insert the appropriate address from the Avanet feed list in the External URL field.
- Set polling interval
- Polling interval: 24 h (for the free version)
- A shorter line does not help, we only update the standard feed every 24 hours.
- Polling interval: 24 h (for the free version)
- Configure authentication (optional)
- Authorization: None
- Test & save connection
- Execute test connection → Save.

For step-by-step setup instructions, we recommend the Sophos documentation.
More than you think
Feeds for more than just Sophos Firewalls
Integrate the feed into the following firewalls, for example:





Avanet
Threat Intelligence Feeds
Your firewall deserves more knowledge. Block threats before they come knocking. Because threats don’t deserve a chance.
Basic
0€
Protect your firewall for free with basic community lists. Ideal for small environments looking for a solid foundation against known threats.
- Update: every 24 h
- 🛡️ IPv4 feeds: 3 lists (≈30,000 IPs)
Standard
18€
Comprehensive, curated feeds for more accurate detection and fewer false positives. Ideal for companies that want to increase their security and reduce unnecessary traffic.
- Update: every 6 h
- 🛡️ IPv4 feeds: 10 lists (≈45,000 IPs)
Premium
35€
Maximum protection at a professional level: exclusive data from honeypots, partner feeds and real-time analyses. For anyone who doesn’t want to compromise on security.
- Update: every 1 h
- 🛡️ IPv4 feeds: 30+ lists (≈120,000 IPs)
- 🌐 Domain / URL feeds: 30+ curated lists
Basic
0€
Protect your firewall for free with basic community lists. Ideal for small environments looking for a solid foundation against known threats.
- Update: every 24 h
- 🛡️ IPv4 feeds: 3 lists (≈30,000 IPs)
Standard
179€
Comprehensive, curated feeds for more accurate detection and fewer false positives. Ideal for companies that want to increase their security and reduce unnecessary traffic.
- Update: every 6 h
- 🛡️ IPv4 feeds: 10 lists (≈45,000 IPs)
Premium
349€
Maximum protection at a professional level: exclusive data from honeypots, partner feeds and real-time analyses. For anyone who doesn’t want to compromise on security.
- Update: every 1 h
- 🛡️ IPv4 feeds: 30+ lists (≈120,000 IPs)
- 🌐 Domain / URL feeds: 30+ curated lists