Sophos Firewall Threat Feeds

The Sophos Firewall Threat Feeds from Cybora provide continuous Threat Intelligence Feeds that automatically import Indicators of Compromise (IoCs) into Sophos Firewall. Such IoCs include malicious IP addresses, malware domains, phishing URLs or known botnet C&C servers.

This removes a large part of the manual maintenance effort. Instead of maintaining individual attacker IP addresses or domains by hand in host objects, firewall rules or block lists, the firewall automatically obtains the data from a curated feed and can block matching traffic.

This is especially valuable as soon as a firewall is visible from the outside. Public IPs, DNAT rules, WAF publications, VPN portals or WebAdmin access are often found very quickly by bots, scanners and automated exploit frameworks. A good threat feed reduces this unwanted traffic before it gets deeper into the environment.

What are threat feeds?

Threat feeds are lists of indicators of compromise. In practice, they are indicators of known malicious infrastructure:

IP addresses: scanners, botnets, compromised systems or command-and-control servers.
Domains: malware, phishing or C2 domains.
URLs: specific malicious paths or download links.

Depending on the provider, these feeds come from security organisations, industry consortia, open-source communities, commercial threat intelligence, honeypots or proprietary sensors. In Sophos Firewall v21, the feature was extended with third-party feeds that are integrated through the Active Threat Response framework.

The benefits are clear:

Proactive protection: block threats before damage occurs.
Flexibility: use feeds from different providers, aligned to individual requirements.
Automation: the firewall blocks automatically; manual intervention is reduced.
Relief: unwanted traffic is dropped earlier and does not even reach internal services.

Typical use cases

Threat feeds are not only useful for outbound client traffic. In practice, publicly reachable services in particular see automated access very quickly.

Use case	Why threat feeds help
DNAT to internal servers	Port forwards are scanned quickly. An IPv4 feed can block known bad sources before they reach the internal server.
WAF publications	Web servers often see bot traffic, CVE scans, CMS probes and credential stuffing. Threat feeds add reputation to WAF rules.
VPN Portal, User Portal and WebAdmin	Portals should first be protected with Device Access, MFA and source networks. Threat feeds additionally reduce known attacker sources.
Outbound client traffic	Domain and URL feeds can block known malware, phishing or C2 destinations.
Heavily scanned WAN addresses	If a public IP continuously sees bot traffic, a good IPv4 feed can noticeably reduce firewall and log noise.

Threat feeds do not replace a clean publication design. If a service is reachable through DNAT or WAF, only required ports should still be opened, source networks or countries should be restricted, IPS/WAF rules should be enabled and logs should be checked. Threat feeds are an additional protection layer, not a free pass for broad Any rules.

Requirements for threat feeds

To use Sophos Firewall Threat Feeds, the Sophos Firewall requires the Xstream Protection bundle licence. This bundle includes the required security functions so that the firewall can process threat intelligence and react to it through Active Threat Response.

Before the rollout, also check:

The firewall runs an SFOS version with third-party threat feed support.
The firewall can reach the feed URL through DNS and HTTPS.
A clear Indicator type is used for each feed, for example IPv4 address, Domain or URL.
Logging for Active Threat Response is enabled.
It is clear whether the feed should first be observed or block directly.

Recommendation: Introduce new feeds in a controlled way. If the firewall allows it, start with an observation phase, check matches in Log Viewer and then switch to blocking. This makes it easier to detect early whether legitimate systems would be affected.

What to consider with URL feeds

IP and domain feeds are usually easy to understand. URL feeds are more demanding because the firewall must see the relevant URL path. With HTTPS traffic, this is not always possible without suitable decryption.

If URL feeds are to be used in production, check whether Web Proxy, DPI Engine and TLS Inspection fit the environment. Without clean visibility into HTTPS traffic, a URL feed may be less effective than expected.

From Free to Ultimate Threat Feed by Cybora

Reliable and up-to-date threat intelligence is essential. That is why Avanet uses curated threat feed plans from Cybora that are specifically suited for Sophos Firewalls.

The feeds are built from various sources to provide broad and reliable threat detection. These include community and OSINT data, commercially sourced intelligence, honeypot results and anonymised attack, error and anomaly logs from numerous Sophos Firewalls managed by us.

Free (Basic) is suitable for home users, PoCs and compatibility tests. Standard adds important malware and phishing domains to the IPv4 feed. Premium expands coverage with domains and URLs with hourly updates. Ultimate is designed for critical infrastructure and high-risk perimeters with 15-minute updates.

With Sophos Firewall Threat Feeds, network security can be taken to the next level. With our curated feeds, complex feed management is removed. Depending on the environment, the free Basic plan is enough for tests, while Standard, Premium and Ultimate are designed for production requirements with increasing coverage and freshness.

We have tested different feeds over a longer period in real Sophos Firewall environments. The Cybora feed has proven to be a good and affordable compromise between quality, freshness and operational practice.

Compare threat feeds

Free / Basic

Free (Basic)

$0/per year

Update interval: every 24 h
IPv4: 20,000 IPv4
Support: No support

Choose

Basic Protection

Standard

$179/per year

Update interval: every 6 h
IPv4: 85,000 IPv4
Domains: Top 5,000 Domains
Support: Standard

Choose

Advanced Protection

Premium

$349/per year

Update interval: every 1 h
IPv4: 220,000 IPv4
Domains: 45,000 Domains
URLs: 25,000 URLs
Support: Priority

Choose

Mission-Critical Protection

Ultimate

$1,999/per year

Update interval: every 15 min
IPv4: 300,000+ IPv4
Domains: 100,000+ Domains
URLs: 100,000 URLs
Support: Very high

Choose

When comparing feeds, do not only look at the number of entries. A huge list is not automatically better if it creates many false positives or is poorly maintained. What matters is that the feed is current, curated and usable for the firewall.

Important criteria:

freshness of the data
supported indicator types
quality and curation of the sources
update interval
false-positive risk
traceability in Log Viewer
sensible exception process

Avanet Firewall Network

Part of the Premium Feed is data from our firewall network, which is distributed worldwide.

Many tools detect brute-force attacks from individual IP addresses easily, but fail with distributed attacks from botnets. In those cases, each host controlled by the attacker performs only a few failed login attempts at a low frequency and therefore avoids detection and blocking.

Some botnets contain hundreds of thousands of infected hosts, allowing cybercriminals to perform massive brute-force attacks without being blocked.

Thanks to our network, we collect logs centrally, detect suspicious activity early and can quickly block attacking IP addresses. This creates a continuously updated Threat Intelligence Feed with IPs that have been suspicious on several systems. By merging and continuously feeding this data into our Threat Intelligence Feed, IP addresses that specifically attack infrastructure are identified and automatically blocked.

What threat feeds do not replace

Threat feeds are powerful, but they are not a replacement for clean firewall basics.

They do not replace:

restrictive firewall rules
MFA for VPN, portals and admin access
Device Access and Local Service ACL
IPS, WAF, Web Protection and TLS Inspection
patch management and Hotfixes
logging, reporting and regular checks

For example, if a web server is published through DNAT, the firewall rule should still have the narrowest possible sources, concrete services and enabled logging. A threat feed blocks known bad sources, but unknown or new attackers may still arrive.

Configure a Sophos Firewall threat feed

Integrating our Sophos Firewall Threat Feeds is straightforward and takes only a few minutes. All feeds are fully compatible with the third-party threat feed function of Sophos Firewall and can be added through the firewall web interface as follows:

Open the menu: Protect > Active threat response > Third-party threat feeds > Add
Enter basic data
- Name: cybora-premium-ipv4
- Description: Cybora Feed - Premium
Set the indicator type
- Indicator type: IPv4 address, Domain or URL
Choose the action
- For production blocking: Block
- For a cautious start: observe matches first if the environment requires it.
Add the feed URL
- Paste the matching address from the Avanet feed list into External URL.
Set the polling interval
- Polling interval: choose a value that matches the subscribed feed.
- A shorter interval does not help if the feed itself is updated less often.
Configure authentication (if required)
- Depending on the feed, use no authentication or the supplied credentials.
Test the connection and save
- Run Test connection.
- Then save with Save.

For a step-by-step setup guide, see the Sophos documentation.

Operational checks

After setup, do not simply assume that everything is correct. Matches must be visible and explainable.

Check System services > Log settings and enable Active Threat Response logging.
Filter for Active threat response in Log viewer.
Check which feed matched.
Check source, destination, service and affected firewall rule.
For false positives, do not create a broad exception. Check and document the specific indicator.

Especially with DNAT, WAF and VPN portals, the amount of unwanted traffic from known bad sources often becomes visible very quickly after activation. This is one reason why we like to use threat feeds for exposed services.

FAQ

Which licence is required for third-party threat feeds?

In practice, the Xstream Protection bundle is required for third-party threat feeds on Sophos Firewall. Before the rollout, check whether the firewall and licence in use support the feature.

Should threat feeds block immediately?

For known and curated feeds, blocking is the goal. In sensitive environments, it can still make sense to observe matches first and rule out false positives.

Do threat feeds also help with DNAT or WAF?

Yes. Published services are quickly found by bots and scanners. An IPv4 feed can block known bad sources before they reach the published service or WAF application.

Why are separate feeds needed for IPs, domains and URLs?

Sophos Firewall processes a feed based on the selected Indicator type. If a source provides several types, create separate IPv4, domain or URL feeds.

Does a threat feed replace IPS or WAF?

No. Threat feeds block known bad indicators. IPS, WAF, Web Protection, TLS Inspection, MFA, patch management and clean firewall rules remain necessary.