RAUSYS Sophos XGS pre-configuration script via REST API or import-export upload. Defines well-known services, backup configuration and other best-practices (see Configuration Overview for details)

Bringing all the default configuration the Sophos team missed to your XGS – aka config-tanking it. 🚀

⭐️ Administration configuration + CA certificate generation
⭐️ Interface + Zone definitions
⭐️ Definition of well-known services + networks + FQDNs
⭐️ DNS request-based routing + authentication services
⭐️ DHCP server or relay configuration
⭐️ Basic Firewall rule configuration
⭐️ Basic webfilter configuration
⭐️ NTP service simulation (feature-parity to SG UTM)
⭐️ Automatic XGS backup configuration
⭐️ Delete unnecessary configuration defaults (Wireless Protection + default Firewall Policies)

1. Run and finalize the XGS first setup wizard + connect to the management port
2. Ensure your client's local IP address is whitelisted for XGS API access (SYSTEM → Backup & firmware → API)
3. Download and install Python 3
4. Install cookiecutter library (pip3 install cookiecutter)
5. Run cookiecutter git+https://github.com/alfonsrv/sophos-xgs-cookiecutter – ALTERNATIVELY: Download this repro and run cookiecutter sophos-xgs-cookiecutter-main.zip
6. Follow the prompts to configure and tank up your XGS 💥

The scripts prompts whether it should run automatically after cookiecutter template-generation. Should you choose No, running the script manually afterward is easy.

1. Navigate to the cookiecutter-generated directory (xgs-tanker-api)
2. Open a shell (cmd/bash) in the directory
3. Run pip3 install -r requirements.txt
4. Execute the XGS tanker script by running python3 main.py

Turn on debug logging (see request and response payloads) by setting settings.LOG_LEVEL to logging.DEBUG

Please consider the Sophos API specs

The API can be triggered via either REST or the built-in Import-Export upload functionality. Note: for the latter the expected .tar file has to be created with the following command tar -cvf xgs-tanker.tar Entities.xml – the name Entities.xml is imperative. To generate the Entities.xml, run python3 main.py --entities in the cookiecutter-generated directory.

The running XGS configuration can be exported via SYSTEM → Backup & firmware → Import-export; the XML in Entities.xml can be used as a further reference to discover further functionalities and other configuration potentials.

REST API

• 👍 Fine-granular tracking and overview on single action-basis
• 👍 Simple, streamlined user experience with proper UI
• 👍 Allows for condition-based deletion, depending on current XGS configuration
• 👎 Extra setup overhead (Python module requests + XGS API Permissions configuration)

Import-Export

• 👍 Allows uploading static content such as logos, certificates, ... alongside configuration
• 👍 Does not require Python to execute – beyond the initial cookiecutter generation
• 👍 Can be triggered using a single file, making it more portable
• 👍 Generally easier to understand concept-wise
• 👎 Less transparent tracking of success / failure on single action-basis
• 👎 While recommended by Sophos for a big change volume, the XGS can be left in inconsistent state if a single action fails

Each configuration is applied in a logical set using XML files (folder definitions), essentially containing the payload sent to the XGS. The payloads are divided by transactionid to make easy distinction of success / failure possible on a single-action basis.

Reference what the XGS tanker script configures:

• Only a single network can be defined using the XGS tanker script. Additional VLANs + network scopes have to be configured manually.
• Firewall rules + service definitions cannot be en-/disabled conditionally (e.g. if a client does not have Entra ID Connect) – see GitHub PR #1645