Sophos Firewall Configuration Requirements and Setup
By following these steps, you can successfully configure the Sophos Connector and Sophos Firewall to forward events to your specified machine.
System Configuration Requirements
Required Linux Systems
- Sophos Version Supported:
- SFOS 19.5.1
- SFO1V
- CPU and RAM:
A configuration of 2 vCPUs and 4 GB of RAM is sufficient for deployments. For higher loads, consider scaling up the resources. - Syslog System:
The Syslog system must be operational 24/7 to ensure continuous monitoring and logging. - IP Address:
A static IP address is required for stable connectivity and configuration.
Sophos Ingestion Connector Configuration in XDR
- Navigate to the Connector:
- Navigate to the Connector page in the XDR portal and select Ingestion.
- Select Event Connector.
- Click Configure.
- Configure the Event Connector:
- Enter the Collector ID and Password.
- Select Validate and Save.
Sophos Ingestion Connector Requirements
- Static IP Address:
Ensure the machine has a static IP address allocation. - Install Docker Engine:
- Install Docker from Get Docker
- Start the Docker service using the following command:
systemctl start docker
- Collect System IP Address:
- Note the IP address of the system.
- Open Firewall Ports:
- For Linux and macOS:
# Opening port in Linux system firewall firewall-cmd --permanent --add-port=514/udp firewall-cmd --reload
- For Linux and macOS:
- Download Docker Image:
- Download the Docker image tar file from the given URL:
https://connectors-xdr.seqrite.com/connectors/collector/download?collectorId=<created collector id>&password=<created collector password>&tid=<tenant-id>
- Download the Docker image tar file from the given URL:
- Load Docker Image:
- Load the Docker image using:
docker load --input <path to hhcollector-1.0.0.tar file>
- Load the Docker image using:
- Start the Agent:
- Start the agent using the command:
docker run -p 514:514/udp --env COLLECTOR_ID=<created collector id> --env TID=<tenant id> hhcollector
- Start the agent using the command:
Sophos Firewall Configuration Requirements
- Event Collector Setup:
- Ensure the event collector is up and running.
- Enable Event Forwarding:
- Go to the Sophos web interface.
- Navigate to System Services > Log Settings.
- Under Syslog Server, select Add.
- Set the event collector machine IP and UDP port 514 as the target for syslog log forwarding.
- Save and Apply Settings:
- Select Save.
- In Log Settings, right-click All and select Apply.