Sophos XG Firewall v2
LAST UPDATED: MAY 6, 2025
Overview
Sophos XG Firewall is a next-generation firewall (NGFW) that delivers advanced threat protection, network security, and comprehensive visibility across environments ranging from small businesses to large enterprises.
READER NOTE
This integration is developed against version 21.0 of the API. Compatibility with earlier or later versions is contingent upon changes to the official API endpoints. Consequently, functionality in other versions is not guaranteed and requires thorough validation prior to deployment.
D3 SOAR provides RESTful operations to interface with Sophos XG Firewall version 2.
Sophos XG Firewall v2 is available for use in:
D3 SOAR | V16.1.0+ |
Category | Network Security |
Deployment Options |
Connection
To connect to Sophos XG Firewall v2 from D3 SOAR, follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The URL of the Sophos Firewall API service. | 192.168.86.86:4444 |
Username | The username used to authenticate the connection. | Admin |
Password | The password used to authenticate the connection. | ***** |
Permission Requirements
Each endpoint in the Sophos XG Firewall v2 API requires a certain permission scope. The following are minimum required permissions necessary to execute the commands in this integration:
Command | Required Permissions |
Block IPs |
|
List Firewall Rules |
|
List IP Hosts |
|
List URL Groups |
|
List Web Filter Policies |
|
Test Connection |
|
As Sophos XG Firewall v2 is using role-based access control (RBAC), the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Sophos XG Firewall v2 console for each command in this integration.
READER NOTE
Sophos XG Firewall v2’s default user profiles are as follows:
Administrator: Super administrator with full privileges. Profile of the default admin. Can create administrators with restricted or full privileges.
Audit admin: Has read-write privileges to logs and reports.
Crypto admin: Has read-write privileges to configure security certificates.
HAProfile: Has read-only privileges to the auxiliary device, if high availability is configured.
Security admin: Has read-write privileges to all features, except profiles, logs, and reports.
Refer to Device access and Add a device access profile for details on configuring user profiles.
Configuring Sophos XG Firewall v2 to Work with D3 SOAR
Allowing API Access to Administrators
Add an administrator profile.
Navigate to the Profile menu item.
Select the Device access tab.
Click the Add button.
Configure the administrator profile.
Name the profile.
Select the Read-write radio option for the Objects row.
Select the Read-write radio option for the Network row.
Click the Save button.
Add an administrator.
Navigate to the Authentication menu item.
Select the Users tab.
Click the Add button.
Configure the user.
Enter a username.
Enter a name.
Select the Administrator option as the user type.
Select the previously configured administrator profile.
Enter and confirm the password.
Enter the user's email address.
Select the Open Group option as the group..
Click the Save button.
Allow the previously configured user API access.
Navigate to the Backup and firmware menu item.
Select the API tab.
Input the IP address from which API requests will originate (this should match the Server URL of the deployed Sophos XG Firewall instance, excluding the port number).
Click the + button.
Click the Apply button to save the configuration.
READER NOTE *
Ensure that the zone of the administrator's IP address has access to the web admin console. Users can do this on Administration > Device access using Local service ACL or Local service ACL exception rule.
Configuring D3 SOAR to Work with Sophos XG Firewall v2
Log in to D3 SOAR.
Find the Sophos XG Firewall v2 integration.
-20250507-003736.png?inst-v=f131e074-2146-4c79-a1cb-410b2a8cc313)
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Sophos XG Firewall v2 in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Sophos XG Firewall v2.
-20250507-000558.png?inst-v=f131e074-2146-4c79-a1cb-410b2a8cc313)
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add a description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users have the option to choose the specific tenant sites to share the connection with. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Active: Check the checkbox to ensure the connection is available for use.
Configure User Permissions: Defines which users have access to the connection.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
-20250507-000623.png?inst-v=f131e074-2146-4c79-a1cb-410b2a8cc313)
1. Input the Server URL of the Sophos XG Firewall v2 platform.
2. Input the Username associated with the Sophos XG Firewall v2 platform.
3. Input the Password associated with the Sophos XG Firewall v2 platform.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
-20250507-000734.png?inst-v=f131e074-2146-4c79-a1cb-410b2a8cc313)
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Sophos XG Firewall v2 includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Sophos XG Firewall v2 API, refer to the Sophos XG Firewall v2 API reference.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring Sophos XG Firewall v2 to Work with D3 SOAR sections for details.
Block IPs
Blocks specified IP addresses by adding them to a designated IP host group. The host group must be referenced in a firewall rule configured to drop matching traffic.
READER NOTE
IP Host Group Name is a required parameter to run this command.
Run the List IP Host Groups command to obtain the IP Host Group Name. IP Host Group Names can be found in the raw data at the path $.Response.IPHostGroup[*].Name.
Input
Input Parameter | Required/Optional | Description | Example |
IP Host Group Name | Required | The name of the IP Host Group to which the IP addresses will be added for blocking. The group must be referenced in a firewall rule configured to drop matching traffic. IP Host Group Name can be obtained using the List IP Host Groups command. A non-existent IP host group name will be automatically created upon successful execution of the command. | D3BlockIPGroup |
Blocked IPs | Required | The IP addresses to block by adding them to the specified IP host group. Traffic from these addresses will be dropped by the firewall rule. Only IPv4 addresses are supported. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Block IPs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data Block IPs failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List Firewall Rules
Retrieves firewall rules from Sophos XG Firewall.
Input
Input Parameter | Required/Optional | Description | Example |
Firewall Rule Name | Optional | The name of the firewall rule to query. The value may be a full or partial name. By default, all firewall rules are returned regardless of their name. | FirewallRule-1 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Firewall Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List Firewall Rules failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List IP Hosts
Retrieves IP Host entries from Sophos XG Firewall.
Input
Input Parameter | Required/Optional | Description | Example |
IP Host Name | Optional | The name of the IP Host to query. The value may be a full or partial name. By default, all IP Hosts are returned regardless of their name. | Block-Host |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List IP Hosts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List IP Hosts failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List URL Groups
Retrieves Web Filter URL Groups from Sophos XG Firewall.
Input
Input Parameter | Required/Optional | Description | Example |
URL Group Name | Optional | The name of the Web Filter URL Group to query. The value may be a full or partial name. By default, all Web Filter URL Groups are returned regardless of their name. | D3BlockURLGroup |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List URL Groups failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List URL Groups failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
List Web Filter Policies
Retrieves Web Filter Policies from Sophos XG Firewall.
Input
Input Parameter | Required/Optional | Description | Example |
Web Filter Policy Name | Optional | The name of the Web Filter Policy to query. The value may be a full or partial name. By default, all Web Filter Policies are returned regardless of their name. | Default Policy |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Web Filter Policies failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid Support account to call this API. |
Error Sample Data List Web Filter Policies failed. Status Code: 403. Message: You must have a valid Support account to call this API. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors: A connection issue with the integration The API returned an error message No response from the API More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Sophos XG Firewall v2 portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You must have a valid support account to call this API. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: You must have a valid Support account to call this API |