Skip to main content

Sophos (SFOS/XGS)

The Sophos SFOS/SGX based devices provide firewall and UTM capabilities. This replaces the previous UTM devices, which can be integrated here.

SFOS (XGS) Configuration

Enable the API and set permitted source IP address(s)
  1. Go to System -> Backup & Firmware -> API -> API Configuration
  2. Enable the API
  3. Add the Knocknoc Agents IP address to the allowed IP addresses (to use the API)
  4. Click Apply

    Screenshot 2025-09-11 at 09.52.06.png

Create a restricted API user profile
  1. Go to System -> Profiles -> Device access
  2. Click AddScreenshot 2025-09-11 at 10.30.30.png
  3. Create a suitable name, eg: api-user-knocknoc
  4. Set all permissions to "none"
  5. Set System -> Objects to "Read-write"

    Screenshot 2025-09-11 at 10.09.27.png

  6. Save
Create a user, linking it to the user profile
  1. Go to Configure -> Authentication -> Users
  2. Click Add

    Screenshot 2025-09-11 at 10.33.26.png

  3. Set a username and name, eg: knocknoc-api-user
  4. Provide a meaningful description
  5. Set User-type as Administrator
  6. Select the "api-user-knocknoc" profile we created earlier
  7. Provide an email address
  8. Group should be "Open Group"
  9. Leave other defaults
  10. Set "sign in restriction" to either "Selected nodes" and provide the same Agent IP addresses, or depending on the firewall configuration any-node may be appropriate if access is open for other users outside the API use.
  11. Save

 

Create an IP Host Group for Knocknoc to add/remove IP addresses 
  1. Go to System -> Hosts & Services -> IP Host Group
  2. Click Add
  3. Provide a name, this will be used later in the Knocknoc Server configuration
  4. Type in a meaningful description
  5. Select IPv4 or IPv6. Note you need to create an IP group for each v4/v6 protocol, if needed.
  6. Leave the 'select host' empty

Screenshot 2025-09-11 at 09.59.59.png

Screenshot 2025-09-11 at 09.59.04.png

Knoc Configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Active", then "Sophos SFOS"

Screenshot 2025-06-26 at 11.34.13.png

Screenshot 2025-09-10 at 10.33.50.png

Enter the URL of the Sophos device (eg: https://1.2.3.4:4444/)

Select "Insecure" if the HTTPS certificate is not CA signed or in the trusted certs. Whilst this is discouraged, if you have deployed the Knocknoc Agent in a network location alongside the device this reduces the risk of MITM.

Provide the API key.

Provide the 'network group reference', also known as the Internal name. This is obtained per network group from the Knocker utility in the previous step.

Assign this to a test user or a group, and proceed to testing.

Testing it out

Log in to the Sophos UTM device, browse to Definitions & Users -> Network Definitions -> Network Groups.

Log in to Knocknoc as the user that has been assigned this Knoc.

Select the relevant group on the Sophos UTM device, you'll see the users IP address has been added to the network definition, along with their username.

Screenshot 2025-09-10 at 16.31.42.png

You're good to use that group within a policy.

Back to top