Sophos Firewall

Sophos Firewall Third-party Threat Feeds Installation

Use KDC IP, domain, and URL indicators securely with Sophos Firewall Third-party threat feeds.

IntegrationThird-party Threat Feeds AccessPrivate connection details after approval
Controlled access

Apply to use KDC's secure feed infrastructure

KDC USOM Feed Service is available only to reviewed and approved organizations. After technical review and approval, the connection IP/FQDN, port, feed URLs, and vendor-specific values are delivered through a secure channel.

View the application process
1. Requirements

Before installation

Administrative accessActive threat response, third-party feed, and log-management permissions.
Source public IPThe actual public egress address used for feed access.
DNS and TLSThe KDC-provided FQDN and certificate chain must validate after approval.
Product eligibilityVerify a supported Sophos Firewall release and the Xstream Protection Bundle requirement for third-party threat feeds.
2. Feed creation

Add third-party threat feeds

Use Active threat response → Third-party threat feeds → Add.

NameIOC typeSource
KDC-USOM-IPIPv4 addressesIP Feed URL from the KDC approval document
KDC-USOM-DOMAINDomainsDomain Feed URL from the KDC approval document
KDC-USOM-URLURLsURL Feed URL from the KDC approval document

Use a 15-minute initial polling interval or the value specified by KDC.

3. Blocking behavior

Validate automatic IOC enforcement

Sophos Firewall automatically blocks traffic based on IPv4 addresses, domains, and URLs in active third-party feeds. Closely monitor counters, blocking logs, and the false-positive process during initial rollout.

4. Verification

Check counters and last synchronization

  • Review active-feed and IOC counters.
  • Confirm a current last-synchronization time.
  • Verify expected records for every IOC type.
  • Review blocked IP, domain, and URL events in Log Viewer.
5. Troubleshooting

Feed not retrieved or IOC not blocked

  • Check the Xstream Protection Bundle license state.
  • Verify source-IP approval, DNS, and TLS access.
  • Confirm the feed type matches the file content.
  • Review Enabled state and polling interval.
6. Rollback

Disable the feed safely

  1. Disable the related feed.
  2. Verify blocking behavior and logs.
  3. Delete the feed object if required and remove KDC source-IP approval.
Vendor KB and official documentation

Sophos Firewall references

Before implementation, also review the official administration guide, release notes, and capacity limits for the deployed product version.

Third-party threat feedsIPv4, domain ve URL IOC feed desteğinin genel görünümü. Configure third-party threat feedsFeed ekleme ve polling ayarları. Manage third-party threat feedsDurum, sayaçlar ve feed yönetimi. Active threat responseThreat feed mimarisi ve modülleri. Third-party feed API operationAPI alanları ve desteklenen polling aralıkları. Firewall license expirationXstream Protection Bundle sona erdiğinde feed davranışı.

The KDC guide does not replace vendor documentation. Menu names, license requirements, and supported capabilities can vary by product version and model.