Skip to main content

Sophos (UTM)

The Sophos UTM device provides firewall and UTM capabilities. Note that this series of devices are being EOL'd by Sophos in favour of the SFOS devices (June 2026), which can also be integrated with Knocknoc following this guide.

UTM Configuration

Firstly create an API key

  1. Go to Management -> Web-Admin Settings -> Restful API -> New API TokenScreenshot 2025-09-10 at 13.53.58.png
  2. Click the little folder button and choose the user (can be the 'api' user, does not need Admin) dragging this to the User fieldimage.png
  3. Save and copy the resulting API token

Create a network group object, this is what Knocknoc will populate with IP address information, for use within a firewall rule.

  1. Browse to Definition & Users -> Network Definitions
  2. In the filter select groups -> new network definition -> enter the name and type as "Network group" and SaveScreenshot 2025-09-10 at 13.56.44.png
  3. Log in to a server with the Knocknoc Agent installed. 
  4. Use the Knocker utility /opt/knocknoc-agent/knocker/knocker enable sophos
  5. Enter ip:port (eg: 1.2.3.4:4444)
  6. Provide the API key (from earlier) and hit enter
  7. It will list all network groups and their internal name. Note if you get a 'jq' error you may need to install the 'jq' JSON parser (apt-get install jq).Screenshot 2025-09-10 at 13.59.13.png
  8. Copy the internal name / reference, you will need this in the Knocknoc configuration.
  9. In our example, "knoc_ssh" provides "REF_NetGroKnocssh", copy this for the below step.

Knoc Configuration

Select the "Firewalls / Appliances" Knoc configuration, selecting "Active", then "Sophos UTM"

Screenshot 2025-06-26 at 11.34.13.png

Screenshot 2025-09-10 at 10.33.50.png

Enter the URL of the Sophos device (eg: https://1.2.3.4:4444/)

Select "Insecure" if the HTTPS certificate is not CA signed or in the trusted certs. Whilst this is discouraged, if you have deployed the Knocknoc Agent in a network location alongside the device this reduces the risk of MITM.

Provide the API key.

Provide the 'network group reference', also known as the Internal name. This is obtained per network group from the Knocker utility in the previous step.

Assign this to a test user or a group, and proceed to testing.

Testing it out

Log in to the Sophos UTM device, browse to Definitions & Users -> Network Definitions -> Network Groups.

Log in to Knocknoc as the user that has been assigned this Knoc.

Select the relevant group on the Sophos UTM device, you'll see the users IP address has been added to the network definition, along with their username.

Screenshot 2025-09-10 at 16.31.42.png

You're good to use that group within a policy.

Back to top