Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 4701 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the Easiest Way to Add a Large Number of Definitions?

Asamoto

Greetings Sophos community,

 

At my work, we have Sophos 210SG UTM.  Every few days, we receive lists of risky IP addresses and domains that should be blocked

 

In the last two weeks, we started receiving huge lists like 250 IP addresses of 300 domains so we block them. And IP the addresses are not ranges or in sequence

 

I will be able to handle all that with CLI but, I did not find any reference that could help me to deal with Sophos CLI

 

In this case, does any body know the best way to handle such huge configuration? or at least help me with a solution?

 

Thank you for your time



This thread was automatically locked due to age.
Parents
  • 0

    You need to look at the REST API, although I have not used it so I don't know what it is available for this issue.   UTM is designed to be managed through the GUI, so nothing is documented about CLI scripts.

    This also seems like the arcade game of whack-a-mole.  There are 4 billion IPv4 addresses, and an almost-infinite number of IPv6 addresses, so I don't know that you can make much headway entering 250 at a time.

    I also wonder how many entries you can have in your list before UTM performance collapses, either during configuration tasks or during packet processing.    Windows folders tend to became very inefficient to browse after they have 2000 entries, so I am extrapolating from bad experiences there.

    Suggest you look at Country Blocking and additional RBLs to preemptively block addresses that you do not need or do not trust.   When you do block an IP address, I would recommend blocking the /24 subnet rather than just one address.

    When our staff travels overseas, they have to notify us of their current IP address, even if it changes every day.   We unblock that one address for remote access and leave the rest of the country blocked.   

    All of this depends of course on your communication requirements, both incoming and outgoing.

  • 0 in reply to DouglasFoster

    Thank you for replying

     

    I will look into REST API to see what's in there to help me

     

Reply Children
No Data
Unfiltered HTML