Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 2511 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bulk add/import of IP Addresses

Daniel Kirin

Hey All

Just wondering if there's any way to bulk add IP Addresses in Firewall Rules

Basically - i've got a list of IP Addresses i'd like to add in a Firewall rule, but i can only add Network Ranges etc or individual hosts.

It's pretty cumbersome adding individual hosts/IP Addresses one by one especially if you have a list of IP Addresses from IOC's you needed in bulk.




This thread was automatically locked due to age.
Parents
  • 0

    Hi Daniel,

    If you're good at using RESTful API, you can automate the process.  A search here should find someone that's done this.  You'll see that having too many objects can slow throughput though.

    What is an IOC and what kind of firewall rule do you want to create?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob

    An IOC is an Indicator of Compromise.

    For example - the latest Australian Cyber attack - The inteligence agency sent out a list of malicious IPV4 Addresses and Domains which there was about 20-30

    I wanted to create a Firewall rule to block those Ip4V addresses and Domains both ways but could only add them one by one in the firewall rule

    I also keep up to date at https://otx.alienvault.com/browse/pulses?q= which is the biggest open source community for IOC's for Ransomware/Malware which i keep an eye on and block Domains/IP's i think should be blocked

  • 0 in reply to Daniel Kirin

    Intrusion Prevention and the various Proxies might already be blocking those IPs.  Unless you have a DNAT or Full NAT allowing external traffic in, it will be default blocked unless it passes through a Proxy.  Net-net, you may be duplicating the work done by the various services used by the UTM.

    If you have a DNAT for some inbound traffic, it takes precedence over firewall rules if you select 'Automatic firewall rule' - see #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Daniel Kirin

    Intrusion Prevention and the various Proxies might already be blocking those IPs.  Unless you have a DNAT or Full NAT allowing external traffic in, it will be default blocked unless it passes through a Proxy.  Net-net, you may be duplicating the work done by the various services used by the UTM.

    If you have a DNAT for some inbound traffic, it takes precedence over firewall rules if you select 'Automatic firewall rule' - see #2 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML