Automating static IP-MAC management in Sophos firewall

I get asked this a lot. Someone turns up with a spreadsheet of 200 MACs and IPs and wants those turned into static IP-MAC reservation entries in a Sophos firewall without an afternoon of clicking around. I use three routes: convert the sheet to Sophos-compatible XML and import it, use the Sophos API if the firmware supports it, or move DHCP onto a dedicated server that can take CSV or PowerShell imports. The safe path is the one I use here, plus a CSV example and a way to clear them out in bulk when the term ends.

Start by exporting or checking a current Sophos config so you know what XML it expects. Sophos supports importing a partial or full configuration as XML from Backup and firmware > Import export in the GUI, so you can build the entries offline and re-import the file rather than typing each row into the web UI. If you want community notes and alternatives, the Sophos docs on import/export and a Reddit thread on bulk static reservations cover the same problem. Use them to check your SFOS version does partial import the way you expect.

Keep the spreadsheet format small and predictable. I use a CSV with three columns: hostname,mac,ip. One example row looks like this:

classroom01,00:11:22:33:44:55,10.10.20.101

Keep MACs in lower-case, or at least keep the case consistent with whatever your script expects. Check the rows for duplicates and out-of-range IPs before you try an import. A quick grep or Excel filter does the job. From there, run a small script that wraps each CSV row into the XML node Sophos uses for static mappings, or use a converter you trust. The script route gives repeatable imports and a cleaner rollback path.

If your firmware and licence allow API access, use that instead of import/export. The API accepts authenticated calls to create and delete objects programmatically. I use a script that reads the CSV, checks against the DHCP pool and current leases, then POSTs each mapping. That gives immediate feedback and simple error handling. If API access is blocked by policy, fall back to XML import. In either case, keep a backup of the current configuration and test on a staging device if you can.

Bulk deletion follows the same pattern. If you used XML import, prepare an XML that removes or replaces the static mapping nodes and import it. If you used the API, send delete calls for each MAC or IP. If you stay in the GUI, filter the static mappings list and delete with multi-select, but that is slow once you get into the hundreds. Check the DHCP mappings area in the GUI and confirm the leases have dropped back into the dynamic pool. A simple smoke test is to reboot a sample device and see that it picks up the expected address.

After any bulk change, check three things: the import file matches the firewall’s XML schema; nothing collides with the DHCP dynamic range; and a random sample of devices renews to the right reservation. Keep the original CSV and a timestamped copy of any XML you import. That gives you an audit trail and a clean rollback option if the import goes sideways. If you need a starting script, look for CSV-to-Sophos-XML converters and adapt one to your CSV layout rather than hand-editing XML for hundreds of entries.

Do it once and it saves hours every provisioning cycle. CSV, validate, convert, import or push by API, then check the GUI and a few DHCP renewals. That avoids the usual mess: wrong MAC format, IPs inside the pool, and duplicate entries.

Tags:

Related posts

Agentic AI still needs domain judgement

Agentic AI can write the thing, but it still cannot tell you whether the thing is right. That is where domain expertise matters, because a clean config or neat bit of glue logic can still be wrong in...

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...