Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

If you've multiple Sophos firewalls and you want to update the SPX configuration using a better way would be to do it via API.

The following sections are covered:

• What to do

This applies to the following Sophos products and versions
Sophos Sophos Firewall
 

What to do

To update the SPX configuration, please follow the steps mentioned below:

Note: I've created a new user named API with an Administrator profile and generated it's the encrypted password for api user by following KBA Sophos Sophos Firewall: How to get the encrypted password form that can be used for API calls  

Step 1: Create a dummy IP host using the following query. I've created an IP host named ip1 and its value is 192.168.168.168.

Query 1:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request>
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set>
                <IPHost transactionid="">
                    <Name>ip1</Name>
                    <IPFamily>IPv4</IPFamily>
                    <HostType>IP</HostType>
                    <IPAddress>192.168.168.168</IPAddress>
                </IPHost>
            </Set>
        </Request>

Sample Output of query 1: 

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<IPHost transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</IPHost>
</Response>

Step 2:

For Email Legacy Mode use the following API query to update the SPX configuration:

Query 2:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request APIVersion="1800.1">
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set operation="update">
                <SPXConfiguration>
                    <SPSophoslobalTemplate>
                        <DefaultSPXTemplate>Default Template</DefaultSPXTemplate>
                    </SPSophoslobalTemplate>
                    <HostName>None</HostName>
                    <AllowedNetworks>
                        <Network>Specify Name of IP host created in Step 1 (i.e. ip1)</Network>
                    </AllowedNetworks>
                    <Port>8094</Port>
                    <KeepUnusedPassFor>30</KeepUnusedPassFor>
                    <AllowPassRegistrationFor>10</AllowPassRegistrationFor>
                    <SendNotifcationErrorTo>SenderOnly</SendNotifcationErrorTo>
                </SPXConfiguration>
            </Set>
        </Request>

Sample Output of query 2:

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<SPXConfiguration transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</SPXConfiguration>
</Response>

OR

For Email MTA Mode use the following API query to update the MTA SPX configuration 

Query 3:

https://<Firewall IP>:<Port>/webconsole/APIController?reqxml=
        <Request APIVersion="1800.1">
            <Login>
                <Username>api</Username>
                <Password passwordform="encrypt">Specify encrypted passoword here</Password>
            </Login>
            <Set operation="update">
                <MTASPXConfiguration>
                    <SPSophoslobalTemplate>
                        <DefaultSPXTemplate>Default Template</DefaultSPXTemplate>
                    </SPSophoslobalTemplate>
                    <HostName>None</HostName>
                    <AllowedNetworks>
                        <Network>Specify Name of IP host created in Step 1 (i.e. ip1)</Network>
                    </AllowedNetworks>
                    <Port>8094</Port>
                    <KeepUnusedPassFor>30</KeepUnusedPassFor>
                    <AllowPassRegistrationFor>10</AllowPassRegistrationFor>
                    <SendNotifcationErrorTo>SenderOnly</SendNotifcationErrorTo>
                    <AllowSecureReplyfor>30</AllowSecureReplyfor>
                </MTASPXConfiguration>
            </Set>
        </Request>

Sample Output of query 3:

<Response APIVersion="1800.1" IPS_CAT_VER="1">
<Login>
<status>Authentication Successful</status>
</Login>
<MTASPXConfiguration transactionid="">
<Status code="200">Configuration applied successfully.</Status>
</MTASPXConfiguration>
</Response>

In case you're getting error <Status code="529">Input request file is Invalid</Status> refer KBA Sophos Sophos Firewall: How to solve <Status code="529">Input request file is Invalid</Status> while using API query with Sophos firewall

Related information

• Sophos Sophos Firewall: How to use API
• Sophos Sophos Firewall: How to get the encrypted password form that can be used for API calls
• Sophos Sophos Firewall: How to solve <Status code="529">Input request file is Invalid</Status> while using API query with Sophos firewall

Updated Disclaimer
[edited by: Erick Jan at 9:13 AM (GMT -7) on 17 Apr 2023]