|
When running a FortiSOAR playbook using the Sophos XG Firewall connector to block IP addresses, the playbook may fail at the 'Block IP In Sophos XG Firewall' step with a parameter type error. The error occurs even though the playbook syntax is valid, and execution proceeds without immediate visible issues.
As a result, the IP address is not actually blocked on the Sophos XG firewall.
The parameter ip_addresses in the connector step was mapped incorrectly. Instead of passing a list of IP strings, the playbook passed the full Indicator object.
Sophos XG’s block_ips operation requires a JSON list of string IPs, such as:
["52.218.109.80"]
Resolution:
Edit the Block IP In Sophos XG Firewall step and update the parameter mapping:
From:
"params": {
"ip_addresses": "{{ vars.indicatorLIst }}"
}
To:
"params": {
"ip_addresses": ["{{ vars.input.records[0].value }}"]
}
After updating:
-
Save and re-run the playbook using an IP Address indicator.
-
Confirm the IP was added under: Sophos XG -> Hosts and Services -> Blocked IPs,
-
The playbook log should show a successful block_ips response.
The block_ips connector action updates Sophos XG’s Blocked IP list, not firewall address groups or rules.
|
