Troubleshooting Tip: Sophos XG Firewall Playbook Block IP Step Fails with Parameter Type Error

When running a FortiSOAR playbook using the Sophos XG Firewall connector to block IP addresses, the playbook may fail at the 'Block IP In Sophos XG Firewall' step with a parameter type error. The error occurs even though the playbook syntax is valid, and execution proceeds without immediate visible issues.

As a result, the IP address is not actually blocked on the Sophos XG firewall.

The parameter ip_addresses in the connector step was mapped incorrectly. Instead of passing a list of IP strings, the playbook passed the full Indicator object.

Sophos XG’s block_ips operation requires a JSON list of string IPs, such as:

["52.218.109.80"]
 

Resolution:

Edit the Block IP In Sophos XG Firewall step and update the parameter mapping:

From:

"params": {
"ip_addresses": "{{ vars.indicatorLIst }}"
}

To:

"params": {
"ip_addresses": ["{{ vars.input.records[0].value }}"]
}

After updating:

1. Save and re-run the playbook using an IP Address indicator.

2. Confirm the IP was added under: Sophos XG -> Hosts and Services -> Blocked IPs,

3. The playbook log should show a successful block_ips response.

The block_ips connector action updates Sophos XG’s Blocked IP list, not firewall address groups or rules.