Sophos Connector

Sophos Firewall Configuration Requirements and Setup

By following these steps, you can successfully configure the Sophos Connector and Sophos Firewall to forward events to your specified machine.

System Configuration Requirements

1. Sophos Version Supported:
   • SFOS 19.5.1
   • SFO1V
2. CPU and RAM:
   A configuration of 2 vCPUs and 4 GB of RAM is sufficient for deployments. For higher loads, consider scaling up the resources.
3. Syslog System:
   The Syslog system must be operational 24/7 to ensure continuous monitoring and logging.
4. IP Address:
   A static IP address is required for stable connectivity and configuration.

Sophos Ingestion Connector Configuration in XDR

1. Navigate to the Connector:
   • Navigate to the Connector page in the XDR portal and select Ingestion.
   • Select Event Connector.
   • Click Configure.
2. Configure the Event Connector:
   • Enter the Collector ID and Password.
   • Select Validate and Save.

Sophos Ingestion Connector Requirements

1. Static IP Address:
   Ensure the machine has a static IP address allocation.
2. Install Docker Engine:
   • Install Docker from Get Docker
   • Start the Docker service using the following command:

     systemctl start docker
     

3. Collect System IP Address:
   • Note the IP address of the system.
4. Open Firewall Ports:
   • For Linux and macOS:

     
     # Opening port in Linux system firewall
     firewall-cmd --permanent --add-port=514/udp
     firewall-cmd --reload
     

   • For Windows:
     • Open the PowerShell command prompt and execute:

     # Opening port in Windows system firewall
     New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Inbound -Protocol UDP -LocalPort 514 -Action Allow
     New-NetFirewallRule -DisplayName "Allow UDP Port 514" -Direction Outbound -Protocol UDP -LocalPort 514 -Action Allow
     

5. Download Docker Image:
   • Download the Docker image tar file from the given URL:

     
     https://connectors-xdr.seqrite.com/connectors/collector/download?collectorId=<created collector id>&password=<created collector password>&tid=<tenant-id>
     

6. Load Docker Image:
   • Load the Docker image using:

     docker load --input <path to hhcollector-1.0.0.tar file>

7. Start the Agent:
   • Start the agent using the command:

     docker run -p 514:514/udp --env COLLECTOR_ID=<created collector id> --env TID=<tenant id> hhcollector
     

Sophos Firewall Configuration Requirements

1. Event Collector Setup:
   • Ensure the event collector is up and running.
2. Enable Event Forwarding:
   • Go to the Sophos web interface.
   • Navigate to System Services > Log Settings.
   • Under Syslog Server, select Add.
   • Set the event collector machine IP and UDP port 514 as the target for syslog log forwarding.
     
3. Save and Apply Settings:
   • Select Save.
   • In Log Settings, right-click All and select Apply.