sophos (4) Versions 1.0.0

Configuration of SOPHOS UTM Appliances

cookbook 'sophos', '= 1.0.0', :supermarket
cookbook 'sophos', '= 1.0.0'
knife supermarket install sophos
knife supermarket download sophos
Quality 44%

Sophos Chef Cookbook

SG (Security Gateway - UTM 9)

The SG recipes use the UTM 9 REST API to automate provisioning of the UTM.
Please make sure the basic setup is performed beforehand as it creates the
required admin account.

To find out how to configure the UTM 9 use the confd-watch.plx -v command.
It will indicate created objects (o+), changed objects (oc), changed nodes (nc)
and deleted objects (o-). Use the output to generate the recipes for your UTM

Note: In most cases you can omit empty values like: Empty SCALAR,
Empty ARRAY, etc. Use true and false for 1 and 0 if it is a status


The following attributes can be used to configure the UTM with Chef recipes:


The Sophos SG URL is the URL to the UTM to configure, embed the username
and password into the URL. Be sure to use the https scheme, the correct
port (4444) and api path (/api).

default['sophos']['sg']['url'] = ''

Fingerprint (for SSL without valid certificate chain)

In case you use the default self-signed certificate of your UTM, and you don't
want to install an official / or install it to your trusted ones, you can choose
to use Public key fingerprinting. The fingerprint of your UTM SSL
certificate can be retrieved using the openssl tool:

openssl s_client -connect :4444 < /dev/null 2>/dev/null |\
    openssl x509 -fingerprint -noout -in /dev/stdin

(If the command above doesn't return a fingerprint, your openssl might be to old)

Then use the fingerprint in your configuration:

default['sophos']['sg']['fingerprint'] = 'FF:00:80:BE:89:3E:CA:7C:A4:C3:03:AF:1F:18:99:7D:75:D2:69:01'


Here are some examples that where created using the output of the
confd-watch.plx -v command. If further assistance on the data-model is needed,
consult the REST API at https://<your host>/api/ on your UTM and inspect
the different objects and nodes, the POST form provides good insight in
possible values.

WEB Filtering

Enable Application Control:

confd-watch.plx -v output:

s  1  caught USR1 signal(s)
vc 27 28  data version change detected at Fri Sep  9 07:43:30 2016
nc afc->status 1

Chef translation:

sophos_sg_node 'afc.status' do
  value true

Enable WEB filtering:

confd-watch.plx -v output:

oc REF_DefaultHTTPProfile http profile status  changed
   status = 1

Chef translation:

sophos_sg_object 'http/profile/REF_DefaultHTTPProfile' do
  attributes status: true
  action :change

Creating a domain regex ( to filter and start blocking
inappropriate content:

confd-watch.plx -v:

o+ REF_HttDomLowbirdcom http domain_regex  created
   restrict_regex = 1
   include_subdomains = 1
   domain = [ ]
   comment = Empty SCALAR
   mode = Domain
   regexps = Empty ARRAY
   name =
oc REF_DefaultHTTPCFFAction http cff_action sp_categories,url_blacklist  changed
   sp_categories = [ REF_CriminalActivities, REF_Drugs, REF_ExtremisticSites, REF_GamesGambles ]
   url_blacklist = [ REF_HttDomLowbirdcom ]


sophos_sg_object 'http/domain_regex/REF_HttDomLowbirdcom' do
  attributes restrict_regex: true,
             include_subdomains: true,
             domain: [ '' ],
             mode: 'Domain',
             name: ''
  action :create

sophos_sg_object 'http/cff_action/REF_DefaultHTTPCFFAction' do
  attributes sp_categories: [ 'REF_CriminalActivities',
                              'REF_GamesGambles' ],
             url_blacklist: [ 'REF_HttDomLowbirdcom' ]
  action :change


Allow HTTPS, SMTP and SSH from internal to mail server:

sophos_sg_object 'network/host/REF_NetHosMailseInDe' do
  attributes name: 'Mailserver in DE',
             address: ''
  action :create

sophos_sg_object 'packetfilter/packetfilter/REF_AllowMailAccess' do
  auto_insert_to_node 'packetfilter.rules'
  attributes sources: ['REF_DefaultInternalNetwork'],
             services: ['REF_MeigLDviNK',
             destinations: ['REF_NetHosMailseInDe'],
             name: 'HTTPS from Internal to Mail',
             action: 'accept',
             log: true,
             status: true
  action :create

Allow developer network to access internal network:

sophos_sg_object 'network/network/REF_NetDevelopers' do
  attributes name: 'Network of the developers',
             address: '',
             netmask: 24
  action :create

sophos_sg_object 'packetfilter/packetfilter/REF_PacAllowAnyFromDevelopers' do
  auto_insert_to_node 'packetfilter.rules'
  attributes sources: ['REF_NetDevelopers'],
             services: ['REF_ServiceAny'],
             destinations: ['REF_DefaultInternalNetwork'],
             name: 'Any From Dev To UTM internal',
             action: 'accept',
             log: true,
             status: true
  action :create

Advanced Threat Protection

Enable Advanced Threat Protection:

sophos_sg_node 'aptp.status' do
  value true


Enable masquerading from the internal network on the wan interface:

sophos_sg_object 'packetfilter/masq/REF_MasqInternToWEB' do
  auto_insert_to_node 'masq.rules'
  attributes source: 'REF_DefaultInternalNetwork',
             name: 'from Internal (Network) to WEB',
             source_nat_interface: 'REF_IntEthExternaWan',
             status: true
  action :create


Redirect HTTP traffic from Any to the Public Address to the Webserver:

sophos_sg_object 'network/host/REF_NetHosWebserver' do
  attributes name: 'Webserver',
             address: ''
  action :create

sophos_sg_object 'network/host/REF_NetHosPubliAddress' do
  attributes name: 'Public Address',
             address: ''
  action :create

sophos_sg_object 'packetfilter/nat/REF_PacNatHttpFromAny' do
  auto_insert_to_node 'nat.rules'
  attributes source: 'REF_NetworkAny',
             service: 'REF_zbCXCkAONs',
             name: 'HTTP from Any to public address',
             source_nat_interface: 'REF_IntEthExternaWan',
             destination: 'REF_NetHosPubliAddress',
             destination_nat_address: 'REF_NetHosWebserver',
             auto_pfrule: true,
             mode: 'dnat',
             status: true
  action :create


Enable webserver protection for host (only http) for domain

sophos_sg_object 'network/dns_host/REF_NetDnsHeise' do
  attributes name: 'Heise',
             hostname: ''
  action :create

sophos_sg_object 'reverse_proxy/backend/REF_RevBacHeise' do
  attributes name: 'Heise Backend',
             host: 'REF_NetDnsHeise',
             path: '/',
             port: 80,
             status: true
  action :create

sophos_sg_object 'reverse_proxy/location/REF_RevLoc' do
  attributes backend: ['REF_RevBacHeise'],
             name: '/',
             stickysession_id: 'ROUTEID',
             path: '/',
             be_path: '',
             allowed_networks: ['REF_NetworkAny']
  action :create

sophos_sg_object 'reverse_proxy/frontend/REF_RevFroFrontWebse' do
  attributes htmlrewrite_cookies: true,
             status: true,
             profile: '',
             certificate: '',
             allowed_networks: ['REF_NetworkAny'],
             lbmethod: 'bybusyness',
             domain: [''],
             disable_compression: false,
             add_content_type_header: true,
             address: 'REF_DefaultInternalAddress',
             preservehost: false,
             locations: ['REF_RevLoc'],
             name: 'frontend webserver',
             htmlrewrite: false,
             port: 80,
             xheaders: false,
             type: 'http',
             implicitredirect: true
  action :create

Collaborator Number Metric

Collaborator Number Metric

Collaborator Number Metric

1.0.0 passed this metric

Foodcritic Metric

1.0.0 passed this metric

Foodcritic Metric

1.0.0 passed this metric

Foodcritic Metric

1.0.0 passed this metric

License Metric

License Metric

License Metric

