Sophos XG / XGS
The Sophos adapter uses the Sophos Firewall REST API to terminate guest WiFi sessions. Sophos XG and XGS firewalls expose a management API for session control.
Prerequisites
- Sophos XG/XGS with firmware v18 or later.
- API access enabled on the firewall (disabled by default on some firmware versions).
- An API admin account or API token with session management permissions.
- HTTPS access from the Atrium Agent to the firewall's management interface (typically port 4444).
Enabling the API
- Log in to the Sophos web admin interface.
- Navigate to Backup & Firmware → API.
- Enable the API and note the allowed IP ranges.
- Add the Atrium Agent's IP to the allowed list.
- Create an API admin account or generate an API token.
Agent configuration
| Variable | Value |
|---|---|
FIREWALL_ADAPTER | sophos |
FIREWALL_HOST | IP or hostname of the Sophos management interface |
FIREWALL_API_PORT | 4444 (default Sophos admin port) |
FIREWALL_API_KEY | API token or credentials |
FIREWALL_VERIFY_TLS | true (set to false for self-signed certificates) |
How termination works
When a visit ends, the adapter:
- Queries the firewall's session table via the REST API for sessions matching the visitor's IP address.
- Sends a session disconnect command via the API.
- Verifies the session was terminated.
The exact API endpoints used depend on the Sophos firmware version. The adapter handles version differences internally.
Troubleshooting
| Issue | Possible cause |
|---|---|
| API connection refused | API not enabled, or Agent IP not in the allowed list. |
| 401 / Authentication failed | API credentials incorrect or expired. |
| Session not found | The visitor's IP is not in the firewall's session table (session may have already timed out, or IP tracking is incomplete). |
| Port 4444 blocked | Default admin port for Sophos. Verify network connectivity from the Agent. |