Templates for Sophos XG environments

IT service providers usually use standards to build customer environments. Such standards enable the system to be maintained by different engineers, even if they are not directly familiar with the environment. Templates can facilitate the implementation of such standards.

Sophos is not directly concerned about such templates for Sophos XG Firewalls, but has implemented a very sophisticated import/export feature for configurations. With some background knowledge, this can be used quite easily to implement standards.

Create templates by export

I recommend using a separate virtual lab appliance to create the templates.

Step 1: Export the configuration

The export function of Sophos XG Appliances can be found under “Backup & firmware” -> “Import export”. The export function is very powerful: the configuration items can be exported very selectively and with dependencies if desired.

The configuration of Sophos XG Firewalls can be exported selectively.
Dependent objects (e.g. services, when exporting service groups) can be easily linked by selecting the “Include dependent entity” function.
The export of the configuration is done as a TAR file.

Step 2: Edit the configuration

Since the exports are always full-scope, the configurations must be edited so that they can be used as templates. Unnecessary configuration objects should be removed from the XML exports. In principle, manual ” building” of a template is also possible.

For editing, the Entities.xml must be unzipped from the downloaded TAR files. I recommend the use of 7-Zip for this. The contained Entities.xml can then be edited with any text editor. Of course, editing with an editor that supports XML markups is much more comfortable. I used Notepad++ in this case.

The XML files are relatively easy to understand. It is good to know that the configuration files seem to be structured chronologically. So most recently added objects are at the end of the file. The referencing among the configuration objects is also not done by IDs but by the object names. Which significantly simplifies the editing of the files.

Collection of ready-made templates for services & service groups

I have started collecting service objects and service groups on Github:

This repo contains multiple (edited) XML exports of services & service groups from Sophos XG appliances. These exports can be used to rapid deploy services and service groups in Sophos XG enviroments.
https://github.com/hifishch/sophosxg-templates
0 forks.
4 stars.
0 open issues.

Recent commits:

Update README.md, GitHub
Update README.md, GitHub
Rename EX N-Able URL Exeptions/N-AbleExeptions.tar to EX N-Able URL Exceptions/N-AbleExceptions.tar, GitHub
Rename EX N-Able URL Exeptions/README.md to EX N-Able URL Exceptions/README.md, GitHub
Update README.mdRemoved some typos, GitHub

Feel free to contribute your templates too!

Step 3: Prepare edited XML files for upload (create TAR-balls)

Sophos appliances do not accept the “naked” XML files. The Entities.xml must therefore be zipped again as TAR files.

The best way to create the TAR files is to use 7-Zip:

The “Add to Archive…” function of 7-Zip in the file context menu is does the trick.
The archive format must be changed to “tar” under “Archive format”. Otherwise, no adjustments to the default settings are required.

Share templates

The finished templates can be shared across the organization via file shares, sharepoints, GitHub repos wikis, etc.