Sophos XG Firewall

Sophos XG is an on-premises next-generation firewall appliance that can send its logs to InsightIDR. InsightIDR can parse the following logs:

  • Firewall
  • Antivirus
  • Web Proxy
  • IDS

You can read the admin guide here: https://docs.sophos.com/nsg/sophos-firewall/v17.0.2/PDF/Sophos%20XG%20Firewall%20Web%20Interface%20Reference%20Guide.pdf

To ensure Sophos XG forwards its log to InsightIDR, you must configure:

  1. Syslog Forwarding
  2. Sophos XG Event Source

Configure Syslog Forwarding

You can configure your Sophos XG to forward its logs to a syslog server. Follow the instructions provided by Sophos here: https://community.sophos.com/kb/en-us/123184

For best results, use the system with the InsightIDR Collector as your syslog server location for:

  • Port (where 514 is the default)
  • IP Address

Additionally, choose the following options during configuration:

  • Facility: DAEMON
  • Severity Level: Debug
  • Format: Device Standard Format

Sophos Central is the tool that allows for central management of firewall configuration. You can use the Sophos Central API to configuring log forwarding to a SIEM, or InsightIDR. Follow the directions here: https://community.sophos.com/kb/en-us/125169

Configure Sophos XG Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. If you want, you can also name your event source.

The event source Sophos XG is not the same as Sophos Firewall (UTM).

When choosing an event source from the firewall options, be sure to select the correct one.

  1. Choose the time zone that matches the location of your event source logs.
  2. Optionally choose to send unparsed logs.
  3. Select an attribution source.
  4. Configure your default domain and any advanced settings.
  5. Select syslog and specify the port and protocol you configured earlier.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  6. Click the Save button.

Attribution source options

Sophos XG product logs can contain information about hosts and accounts. When setting up Sophos XG as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify Log Parsing

After you configure this event source, check that the Sophos XG logs appear in log search and adhere to the following format:

1
30> device="SFW" date=2019-03-06 time=23:04:00 timezone="EST" device_name="XG330" device_id=A11111AAA1F9R30 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=94 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=00: 0:00: 0:00: 0 src_ip=10.1.1.2 src_country_code=R1 dst_ip=10.10.10.10 dst_country_code=R1 protocol="TCP" src_port=43874 dst_port=458 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="3205265920" vconnid="" hb_health="No Heartbeat"