Automatically block VPN brute force attackers on your Sophos firewall with ThreatListPro's real-time IP blocklist. Use the native External Threat Feed feature in SFOS.
Start Blocking Attacks -- $9.99/moSophos XG and XGS firewalls offer SSL VPN and IPsec VPN services that are exposed to the internet. Automated bots attack these endpoints constantly.
Sophos firewalls running SFOS expose VPN portals on public IP addresses. Attackers use credential-stuffing tools to try thousands of username/password combinations against the user portal and VPN login pages. Even with account lockout policies, distributed attacks from thousands of IPs can overwhelm logging systems and consume firewall resources.
SFOS includes a native External Threat Feed feature that can download IP lists from a URL on a schedule. ThreatListPro plugs directly into this feature, delivering a continuously updated list of known VPN attackers. A single firewall rule referencing the threat feed blocks all listed IPs before they can reach any VPN service.
Configure ThreatListPro as an External Threat Feed in SFOS. Works with XG and XGS hardware on SFOS 18, 19, and 20.
Sign up at threatlistpro.com and copy your unique feed URL from the dashboard:https://feed.threatlistpro.com/v1/edl/YOUR_API_KEY
In SFOS, navigate to System Services > Threat Feeds (or Active Threat Response > Sophos X-Ops Threat Feeds in newer SFOS versions). Click Add. Set the name to ThreatListPro, type to IP Address, and paste your feed URL. Set the polling interval to 15 minutes (minimum supported).
Go to Rules and Policies > Firewall Rules. Add a new rule at the top of your WAN inbound policy. Set source to the ThreatListPro threat feed, destination to Any (or your VPN interface zone), and action to Drop. Enable logging for visibility.
If your SFOS version does not support External Threat Feeds, create an IP Host Group manually and populate it via the Sophos API. Use a scheduled script to download the ThreatListPro feed and update the host group:POST /webconsole/APIController?reqxml=...
Navigate to Log Viewer > Firewall and filter for dropped connections from the ThreatListPro rule. You should see entries showing blocked source IPs. Check System Services > Threat Feeds to verify the feed status shows as "Active" with a recent update timestamp.
Compare automated VPN-focused blocking against other approaches for your Sophos firewall.
| Feature | ThreatListPro | Manual Blocking | Enterprise Threat Feeds |
|---|---|---|---|
| VPN brute-force focused | ✓ | ✗ | ✗ |
| Real-time updates (60s) | ✓ | ✗ | ✓ |
| SFOS External Threat Feed compatible | ✓ | ✗ | ✓ |
| No scripting required | ✓ | ✗ | ✓ |
| Setup in under 5 minutes | ✓ | ✗ | ✗ |
| Price | $9.99/mo | Staff time | $500+/mo |
In Sophos SFOS, navigate to System Services > Threat Feeds and add a new External Threat Feed. Set the type to IP Address, paste your ThreatListPro feed URL, and configure the polling interval. Then create a firewall rule that uses the threat feed as the source to block inbound traffic from listed IPs.
Yes. ThreatListPro is fully compatible with all Sophos firewall models running SFOS 18, 19, and 20, including XG and XGS hardware series. The External Threat Feed feature supports plaintext IP lists, which is the format ThreatListPro provides.
Yes. By applying the ThreatListPro threat feed in a firewall rule targeting your VPN zone or interface, all traffic from known attacker IPs is dropped before reaching your SSL VPN or IPsec VPN portal. This prevents brute force login attempts, reduces log noise, and frees up firewall resources.
Automated VPN brute force protection using native SFOS threat feeds.
Get ThreatListPro -- $9.99/moThreatListPro provides a standard IP blocklist feed compatible with any firewall that supports external lists.
Learn more about IP blocklists, VPN security, and how ThreatListPro compares to alternatives.