Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 1059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatically Add to Blocklist When Rule is Hit

Austin Archer

I have a client who has migrated from a Watchguard firewall to a Sophos XG310. One of the features they have requested is as follows:

We own a CIDR of IP addresses, for example: 1.1.1.0/28 ranging from 1.1.1.1-1.1.1.14

We would like to set up a "honeypot" of sorts. The IP address 1.1.1.2 in this example is completely unused. There are no services running on that IP and there is no chance that a valid client will access it. What we would like to do is automatically add any IP address which hits 1.1.1.2 in any way to a global blocklist as this behavior is only indicative of somebody snooping around what they don't need to access.

Is this possible?



This thread was automatically locked due to age.
  • 0

    Hello,

    i think it is possible using external services only.

    For example external syslog triggering REST-API.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Hi Austin and welcome to the UTM Community!

    Firewall and Policies in the XG Firewall Community is where you will want to ask future questions about XG Firewall.

    I'm not sure I like the idea of automatically populating a blocklist.  In today's world with AWS, Azure, etc., so many public IPs are used temporarily and then used again by others.  A client of mine in Maine has had about 130 different IPs scan one location in May-July.  Most scans came from China, so it was easy to use a combination of a portscan Exception and a firewall Drop rule to eliminate the email alerts caused by Chinese hackers, but that involved using the entire subnet like (image from UTM, not XG)

    In the last week, we've gotten portscan alerts from random IPs in AWS, Linode, Google Cloud and LeaseWeb here in the US.  The bad guys only use the IP for a day and then move on to a new one.  The old one then gets used by a non-criminal.

    When you post in the XG Community, instead of asking for help with your solution, I would explain what your problem is and ask for suggestions on how best to address it with XG.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML