Sophos Firewall FQDN Object Import Generator

This article was created with the help of a translation tool. Although we check the translation, errors in the content cannot be ruled out. Please bear this in mind when using the content. Thank you for your understanding.

We are pleased to present another ITW development. A Sophos Firewall FQDN object import generator. XML imports for host objects, URL groups and web exceptions can be created in a flash from lists of FQDNs.

tested with SFOS 19.5.x to 21.0.x

Introduction

To this day, many people (including myself) struggle with the API. I don't want to badmouth the API. It is important and also practical, but not always the easier way when it comes to creating multiple objects. Activate API, set authorizations, allow access, search for script, authenticate, ... and so on.

I am therefore a friend of ready-made configuration snippets that can be imported in the GUI via the import function in a flash, without having to do much.

This is how this generator was created. You can enter a list of FQDNs, select which objects are to be created and the import file is ready. I have tried to make it as convenient as possible. Take a look at it and give it a try! 😀

What can be created?

Below you will find an overview of the configurations you can create using the generator.

  • FQDN host
    Objects under "Host and services -> FQDN host". This includes the FQDN itself, of course, but also the display name in some cases. You can add a prefix to the name. If no prefix is set, the FQDN is used. Due to the length restriction, the name may be shortened from the beginning. Other name options are not possible.
  • FQDN host group
    The host group "Host and services -> FQDN host group" depends on the creation of the individual host. If the option is set, all specified FQDN hosts are also packed into an FQDN host group. The name of the group is freely definable.
  • URL group in the proxy
    Under "Internet -> URL group" a new list can be filled with the specified FQDN. The name of the group is freely definable. Wildcards (*.) are removed.
  • URL exceptions in the proxy
    Exceptions can be created under "Internet -> Web Exceptions". However, only the URL field is ever filled in here. The exception options are all activated, but can be adjusted after the import. The name of the exception is freely definable.

Operating aid

Is the generator intuitive? Well, let's hope so. 😉
But the reality is often different. If only because everyone's understanding and level of knowledge is different. So here are a few tips.

General notes

  • Wildcard domains
    Wildcards are supported. Simply enter the FQDN with "*.domain.de". Any existing wildcard will be removed from the URL group.
  • Names
    Except for the naming of the FQDN hosts (only a prefix is possible here), you can freely choose the names of the configuration yourself. The selection of possible characters was deliberately limited. If you want to add a different character, you have to adjust it yourself after the import. Possible characters: a-z A-Z 0-9 - _ + # ! = * + $ / German umlauts and of course the space character.
  • Multiple submissions for an XML
    An XML can end up with different configurations. The first time you submit the form, for example, you can have only FQDN Host, the second time only one URL group and the third time all four options. The combination is up to you. When importing, the data is imported together, but not merged!
  • FQDN check
    When lists are submitted, the FQDNs are checked for plausibility. Most error cases should be covered. Errors are displayed in detail.
    Already sent in data before? Don't worry, they will remain until the end.
  • IDN domains
    IDN (International Domain Name) domains are supported. You can enter müller.de, or xn--mller-kva.de. Both work. When creating the XML, all domains that require conversion are converted to Punycode. You don't need to worry about it here.

Data input

  1. Enter FQDN list (max. 100 entries / lines per forum form submission)
  2. Select any combination of options
  3. Send data (max. 20 submissions per XML)
  4. Start from scratch or create XML

Use of the XML imports created is at your own risk. We accept no liability for possible damage or misconduct. As always, the import should be tested in a test system beforehand.
Nevertheless, we would like to point out that we believe that the risk of such errors due to the imported data is close to zero.

Generator

Step 1: Enter FQDNs  

General:
Enter the list of FQDNs here.

Conditions:
  • Only one FQDN per line
  • Max characters per FQDN: 253
  • IDNs (International Domain Names) are allowed
  • IDNs are converted automatically
  • IDN domains to be converted are only converted when the XML file is created
  • A maximum of 100 lines is allowed per entry.


Step 2: Select one or more options

General:

With this option, FQDN objects are created under the configuration item "Host and Services -> FQDN Host".
If the option "Group" is also activated, an FQDN host group is created for the specified FQDN.

Name conditions:
  • Prefix empty means object name equal to the FQDN
  • An underscore is always automatically placed after a prefix
  • Set prefix means name equal to Prefix_sub.domain.de
  • Total length incl. prefix: 60. If the name from the prefix and FQDN is longer, the text is cut off the front of the FQDN
  • Max character prefix: 20
  • Permitted characters: a-zA-Z0-9_+-#!=* äüöÄÜÖß German umlauts and spaces

Conditions for the group:
  • optional
  • If the option is activated, the host group is also created automatically. Any prefix that may have been set is taken into account.
  • Name must be set
  • max characters: 60
  • Permitted characters: a-zA-Z0-9_+-#!=* äüöÄÜÖß German umlauts and spaces


General:

With this option, a URL group is created under the configuration item "Web -> URL groups".

Conditions for the name:
  • Mandatory if option is activated
  • max characters: 50
  • Permitted characters: a-zA-Z0-9_+-#!=* äüöÄÜÖß German umlauts and spaces


General:

This option is used to create an exception for URLs under the configuration item "Web -> Exceptions".

The exceptions are created according to the following scheme:
  • *.domain.de is converted into
    ^([A-Za-z0-9.-]*\.)?domain\.de/?
  • simpledomain.de is adopted 1:1
Conditions for the name:
  • Mandatory if option is activated
  • max characters: 60
  • Permitted characters: a-zA-Z0-9_+-#!=* äüöÄÜÖß German umlauts and spaces

Discard all previously submitted data and restart?


Step 3 (optional): Check submitted data

Click here to view the data submitted so far (JSON format)
General:

This option is used to create an exception for URLs under the configuration item "Web -> Exceptions".

The exceptions are created according to the following scheme:
  • *.domain.de is converted into
    ^([A-Za-z0-9.-]*\.)?domain\.de/?
  • simpledomain.de is adopted 1:1
Conditions for the name:
  • Mandatory if option is activated
  • max characters: 60
  • Permitted characters: a-zA-Z0-9_+-#!=* äüöÄÜÖß German umlauts and spaces

No data has been entered yet

Step 4: Select action

Number of submissions still possible until the XML must be created: 20/20

Version history

25.04.2024 - Initial release

15.05.2024 - Minor adjustments to the text

FAQ

Is the created data stored on the server?

Yes, as soon as the TAR file is created for import ("XML ..." button). As long as only data is entered, no data is stored on the server. Once the XML has been created, the file is only stored on our server for 30 minutes. It is then deleted. You give your consent to this via the Content Blocker.

What is Punycode?

Punycode is a special encoding for converting Unicode characters into ASCII, a smaller, restricted character set. Punycode is used to encode internationalized domain names (IDN) so that the ASCII-based DNS system can handle the domains. So without Punycode no umlauts, accents, or other non-ASCII characters.

What are labels and TLDs?

Very briefly and concisely explained, a domain consists of at least one label and one TLD. However, there can also be several labels. Everything is always separated by a period. Examples: domain.de (domain=label, de=TLD) or test.domain.de (test=label, domain=label, de=TLD).
More on Wikipedia or your trusted source of knowledge.

I have found a mistake

Great, you've found the Easteregg 🥳
No, joking aside... Errors cannot be ruled out due to the number of possible test scenarios. If you have found a bug, please let us know via the contact form or in the comments which data lead to the error and we will make sure that we fix the bug as soon as possible.

Is something missing?

If you are missing something in the generator, please write to us via the contact form or in the comments. Let's see if your feature request makes it in 😊

Where and how is the XML imported?

Please upload and import the created file (.tar) as it is under "Backup & Firmware -> Import/Export". After the message that the process was successful, the desired objects have been created.

FQDN Object Import Generator Import XML -

How can it be ensured that the import does not install a backdoor or anything else?

Simply unzip the TAR file and open the XML file in the editor. You will only find the data you have sent in here.

Other interesting articles

! in progress ! IP object generator

Tags

Other articles from this category

5 Comments

Leave a Reply

Comments are not displayed directly, as they are released in moderation.


  1. Thanks for that great work! It saved a lot of time for me! Looking forward to a IP object generator

  3. Many thanks for the great tool. I was able to import around 100 FQDNs quickly and easily into the firewall. That saved me a lot of work.
    I will certainly be using the tool more often!

    Thank you, thank you, thank you!
    Peter

Popular posts

WAF 1MB limit on Sophos Firewall
Sophos Firewall CLI commands (part 1)
Sophos Firewall FQDN Object Import Generator
Sophos Firewall CLI Cookbook
WordPress Cookie Plugin by Real Cookie Banner