Sophos Firewall Threat Feeds
Cybora ‘s Sophos Firewall Threat Feeds provide continuous threat intelligence feeds that automatically import Indicators of Compromise (IoCs) – such as malicious IP addresses, domains or URLs – into your Sophos Firewall and block them immediately. This eliminates a large part of the manual maintenance effort for administrators: The feeds contain not only current community and OSINT data, but also commercially purchased information, results from our honeypots and anonymized attack, error and anomaly logs from numerous Sophos Firewalls managed by us. Malware domains, botnet C&C servers and phishing sites are thus proactively filtered out. This increases the security of your infrastructure and at the same time noticeably reduces unwanted traffic on the firewall.
Topics
What are threat feeds?
Threat feeds are lists of indicators of compromise (IoCs), such as malicious IP addresses, domains and URLs. These feeds come from external sources, such as security organizations, industry consortiums or open source communities, and allow your Sophos Firewall to automatically block traffic from known threats. Integrating these feeds into your firewall provides a proactive defense that stops attacks before they reach your network. In Sophos Firewall v21, this feature has been enhanced with support for third-party feeds implemented via the Active Threat Response framework.
The advantages are clear:
- Proactive protection: block threats before damage occurs.
- Flexibility: Use feeds from different providers, tailored to individual requirements.
- Automation: The firewall blocks automatically; manual intervention is no longer necessary.
Requirements for threat feeds
To be able to use the Sophos Firewall Threat Feeds function, you need the bundle license for the Xstream Protection bundle license for Sophos Firewall. This bundle includes advanced security features that enable the firewall to efficiently process and respond to threat information. Without this bundle, the use of third-party feeds is not possible, as it provides the necessary modules for processing the IoCs.
From the Basic to the Ultimate Threat Feed – by Cybora
We understand how important reliable and up-to-date threat information is for your network security. That’s why we offer two carefully curated threat feed options specifically optimized for Sophos Firewalls. We achieve this through our collaboration with Cybora.
The feeds are compiled from a variety of reputable sources to ensure comprehensive and reliable threat detection. The standard feed offers a good opportunity to improve security. The Premium feed is characterized by a higher update frequency and a larger number of data sources and is particularly suitable for companies that require a high level of security. The Ultimate feed also provides the latest and all available data and thus offers the maximum possible protection.
Sophos Firewall Threat Feeds can take network security to the next level. Our curated feeds take the complexity out of feed management. Whether you choose the free standard feed or the comprehensive premium feed, both provide reliable, regularly updated threat information and protect your network.
Compare threat feeds – security for your needs
Basic
0 $
per year
Update interval: every 24 h
IPv4 feeds: 30,000 IPs
Standard
179 $
per year
Update interval: every 6 h
IPv4 feeds: 45,000 IPs
Support
100% discount for Sophos Firewall subscription customers*.
Premium
349 $
per year
Update interval: every 1 h
IPv4 feeds: 120,000 IPs
Domain / URL feeds
Support
14% discount for Sophos Firewall subscription customers*.
Ultimate
1999 $
per year
Update interval: every 15 min
IPv4 feeds: > 220,000 IPs
Domain / URL feeds
Support
10% discount for Sophos Firewall subscription customers*.
* The discount applies to all existing Avanet customers with an active Sophos Firewall subscription.
Avanet Firewall Network
Part of the Premium Feed is the data from our firewall network, which is distributed worldwide.
Many tools easily detect brute force attacks on individual IP addresses, but fail in the case of distributed attacks by botnets. In such cases, each host controlled by the attacker only makes a few failed login attempts at a low frequency and thus escapes detection and blocking.
Some botnets include hundreds of thousands of infected hosts, allowing cybercriminals to carry out massive brute force attacks without being blocked.
Thanks to our network, we collect logs centrally, detect suspicious activity at an early stage and can quickly block attacking IP addresses. This results in a constantly updated threat intelligence feed with IPs that have become conspicuous on several systems. By merging and continuously feeding this data into our threat intelligence feed, IP addresses that are specifically attacking the infrastructure are identified and automatically blocked.
Sophos Firewall Threat Feed Setup?
The integration of our Sophos Firewall threat feeds is straightforward and can be done in a few minutes. All feeds are fully compatible with Sophos Firewall’s third-party threat feed feature and can be added via the firewall’s web interface as follows:
- Open menu Protect → Active threat response → Third-party threat feeds → Add
- Enter basic data
- Name: cybora-premium-ipv4
- Description: Cybora Feed – Premium
- Define indicator type & rules
- Indicator type: IPv4 address, domain or URL
- Action: Block
- Store feed URL
- Insert the appropriate address from the Avanet feed list in the External URL field.
- Set polling interval
- Polling interval: 24 h (for the free version) / 1 h (for premium version)
- A shorter line does not help, we only update the standard feed every 24 hours.
- Polling interval: 24 h (for the free version) / 1 h (for premium version)
- Configure authentication (optional)
- Authorization: None
- Test & save connection
- Execute test connection → Save.
For step-by-step setup instructions, we recommend the Sophos documentation.
More than you think
Feeds for more than just Sophos Firewalls
Integrate the feed into the following firewalls, for example:
