Lumu can be integrated with other cybersecurity solutions to streamline response processes, including Sophos Firewall, and among the integration possibilities between Lumu and Sophos Firewall, we have the Enhanced OOTB Integration.

The Enhanced OOTB Integration, built for Sophos Firewall versions 21 and above, unlocks advanced functionality to leverage the platform’s full capabilities. It generates threat feeds containing IPs, domains, and URLs—extending beyond web category filtering. These feeds can be used across multiple firewall modules, including intrusion prevention, advanced threat protection, application control, and Web proxy, enabling a more proactive and adaptable security posture. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

• Sophos XG Firewall
  • Sophos XG SFOS version 21 or above.
  • A Xstream Protection bundle license.
• Lumu License
  • Lumu Defender subscription

Add Integration

This section of the article describes the steps that must be completed on the Lumu portal to properly set up the Sophos Firewall Enhanced integration. To start, log into your Lumu account through the Lumu Portal.

Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.

1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then, click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.

2. Locate the Sophos Firewall integration in the Response section on the available apps area. Click on the Add button to view its details.

3. Familiarize yourself with the integration details available in the app description and click the Activate button below to activate the integration.

4. Select the Enhanced mode to start the activation process. Follow these instructions and provide the required data to properly configure the integration:

a. Type in a Name for your integration.

b. Select the Threat Types you want to include.

c. Select the Indicator types to generate the required blocklists.

d. Click the Create button when finished.

5. Once done, you will be provided with the threat feed lists. You will find a list of URLs for different threat feed types. This will be relevant when you start configuring the integration on your Sophos Firewall.

Configure Sophos Firewall

This section outlines all the necessary steps to configure your Sophos Firewall settings for a successful integration.

Add Sophos Third-party threat feeds

You must configure a Third-party threat feed on your Sophos Firewall for each Blocklist. Log in to your Sophos Firewall console and follow these steps:

1. Head to the left navigation bar. Click on the Active threat response menu under the PROTECT section.

2. Click on the Third-party threat feeds tab in the Active threat response window.

3. Click the Add button in the Third-party threat feeds > Blocked feeds section.

4. Fill in the threat feed information as follows:

a. Give your feed a distinctive Name. Optionally, you can also add a Description.

b. Set the Action parameter to Block.

c. Set the Position parameter to Top.

d. Set the Indicator type according to the Lumu integration URL list you are using. Go back to step 5 of the previous section for more context.

e. Enter the External URL that you obtained from the integration on the Lumu Portal and according to the Indicator Type you just selected.

f. Leave the Authorization parameter as is (No authentication).

g. Activate the Validate server certificate toggle.

h. Set the Polling interval based on the needs of your network. We encourage you to use a short interval according to your device’s capabilities. If possible below 1 hour, if not, as short as possible.

i. Test the connection and resolve any issues that may be present.

j. Click the Save button when finished.

Have in mind that XGS 87(w), 88(w), and 107(w) references only support 24 hours, 7 days, and 30 days of polling interval options.

5. Your new Lumu feed will start syncing. It will appear under the Third-party threat feeds > Blocked feeds section. Once you see the feed, you will know Lumu and Sophos Firewall have been properly integrated.

Repeat the steps from 3 to 5 for each list you created in your Lumu integration.

Firewall configuration for Threat feeds

After adding Lumu threat feeds to your Sophos firewall, you must configure specific firewall settings and rules based on the type of Indicators of Compromise (IoCs) and the type of traffic being handled. Follow the guidelines presented in this chart provided by Sophos, as well as the information provided in the following articles:

1. Consult the Firewall configurations for threat feeds guide to implement the required configurations.
2. If an IoC isn't blocked properly, refer to the Sophos Troubleshoot Active threat response guide.
   

Sophos Firewall - Summary of requirements for Threat feeds