Skip to main content

Sophos (SFOS/XGS)

The Sophos SFOS/XGS based devices provide advance firewall and UTM capabilities. This replaces the previous UTM devices, which can be integrated here.

Knocknoc manages IP addresses within a host-group, it does not edit/change firewall policies, and operates with a least-privilege API user from a trusted IP address list.

The basic configuration flow is:

  1. Enable the API + allowlist trusted IP addresses
  2. Create an API user profile, to enable least-privilege API access
  3. Create an API user, linked to the least-privilege API profile
  4. Create an IP address host group, for Knocknoc to add/remove IP addresses.
  5. Test it out!

SFOS (XGS) Configuration

Enable the API and set permitted source IP address(s)
  1. Go to System -> Backup & Firmware -> API -> API Configuration
  2. Enable the API
  3. Add the Knocknoc Agents IP address to the allowed IP addresses (to use the API)
  4. Click Apply

    Screenshot 2025-09-11 at 09.52.06.png

Create a restricted API user profile
  1. Go to System -> Profiles -> Device access
  2. Click AddScreenshot 2025-09-11 at 10.30.30.png
  3. Create a suitable name, eg: api-user-knocknoc
  4. Set all permissions to "none"
  5. Set System -> Objects to "Read-write"

    Screenshot 2025-09-11 at 10.09.27.png

  6. Save
Create a user, linking it to the user profile
  1. Go to Configure -> Authentication -> Users
  2. Click Add

    Screenshot 2025-09-11 at 10.33.26.png

  3. Set a username and name, eg: knocknoc-api-user
  4. Provide a meaningful description
  5. Set User-type as Administrator
  6. Select the "api-user-knocknoc" profile we created earlier
  7. Provide an email address
  8. Group should be "Open Group"
  9. Leave other defaults
  10. Set "sign in restriction" to either "Selected nodes" and provide the same Agent IP addresses, or depending on the firewall configuration any-node may be appropriate if access is open for other users outside the API use.
  11. Save
Create an IP Host Group for Knocknoc to add/remove IP addresses 
  1. Go to System -> Hosts & Services -> IP Host Group
  2. Click Add
  3. Provide a name, this will be used later in the Knocknoc Server configuration
  4. Type in a meaningful description
  5. Select IPv4 or IPv6. Note you need to create an IP group for each v4/v6 protocol, if needed.
  6. Leave the 'select host' empty

Screenshot 2025-09-11 at 09.59.59.png

Screenshot 2025-09-11 at 09.59.04.png


Knoc Configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Active", then "Sophos SFOS"

Screenshot 2025-06-26 at 11.34.13.png

Screenshot 2025-09-11 at 11.01.53.png

Enter the URL of the Sophos device (eg: https://1.2.3.4:4444/)

Select "Insecure" if the HTTPS certificate is not CA signed or in the trusted certs. Whilst this is discouraged, if you have deployed the Knocknoc Agent in a network location alongside the device this reduces the risk of MITM.

Provide the username and password for the API user we created earlier. 

Provide the IPv4 Group Name and IPv6 Group Names, defined earlier.

Assign this to a test user or a group, and proceed to testing.

Testing it out

Log in to the Sophos device, browse to System -> Hosts and services -> IP host group.

Log in to Knocknoc as the user that has been assigned this Knoc.

Select the relevant group on the Sophos device, you'll see the users IP address has been added to the network definition, along with their username. 

Screenshot 2025-09-11 at 10.51.32.png

You're good to use that group within a policy.

Back to top