Restricted Advance Shell - examples of challenges

What's the solution for downloading a pcap file without access to the advanced shell - Sophos Firewall: Create and download a packet capture

Currently there is no workaround of "downloading" the wireshark dump. You can still do a packet capture on CLI (console) and on GUI. 

But apparently there is no download of this dump. 

Just out of curiosity: If you look at the packet capture of the Webadmin: What use cases do you miss there to resolve your issues beside a download capability for Wireshark? 

NFR are for test labs as well. There are multiple firewall licenses, you can can get as a Sophos Partner. Feel free to talk to your Sophos Sales Rep for your eligible packages. 

Sophos XG Home is regulated by the EULA: https://www.sophos.com/en-us/legal/sophos-end-user-license-agreement

It is clearly intended for the non commercial usage. If you want to reproduce something or you want to test something for your customer, there are options to do this for every partner. Feel free to contact Sophos Support or your Sophos Sales Rep, if you feel of missing features. Sophos XG Home was never intended to rebuild a test lab on Partner site in the first place. The Partner should use valid licenses and not licenses build for the personal use case at home. 

And Sophos XG Home is used by personas at home, as intended. Do not think, it is purely used by partners in labs. We are talking about a technical home person, wanting to use a better firewall product in the first place. We are not talking about the "ISP router persona". 

As a silver Partner we only get two NFR licenses for firewalls, so there doesn't seem to be room to give a license to every employee for his private home environment. Is it even allowed to use NFR licenses in home networks that are not directly connected to a partner anyway?

It's not like installing a home license to use it as a testing device, it's more like using it as a private firewall but gaining experience with it outside production environment.

Anyhow, not being able to basically administer WAF anymore, for me, is a dealbreaker. Maybe I just go back to UTM or use something completely different, thanks for your time toni.

In principle, WAF is still there. You cannot see the WAF mod rule blocks, which is some feedback to include in the Logviewer. 

If the logviewer would include mod rule blocks, would you still need to access the CLI /log ? 

Well, there are a few things that I personally need @home.

- The possibility to set the WAF file upload size (which you already said will get implemented), best would be in the GUI as setting on a WAF policy

- WAF rule IDs from triggered rules, best would be in real time.

- Access to all full log files in the log viewer: As mentioned before, I can't even see why the spam engine dropped a mail in the GUI. In the log I can at least see if it was bulk or something else.

- Proper filter functions in log viewer: simple tasks like "show me firewall rule #3 and #4" or "exclude DELIVERED and QUEUED as email action" are already too much for the GUI, so if I want a filtered view of all not delivered mails and export it, I'm screwed with the GUI. No problem with grep of course.

- The GUI lacks an export function for the mail logs. Yes, I can export logs in the log viewer, but eg. rejected mails don't even show up there, a thing I don't understand to this day. Why on earth is that? Change this!

Is that 3 year NFR for architect new? I completed architect in 2019 (and delta in 2021) for utm without any NFR options?

At F Neumann You need to contact the Training Staff of Sophos or your local Sales Rep. This program is old but you need to get in touch with the departments. 

So all your use cases focuses on WAF/Email? And other use cases, which needs CLI access? 

WAF, Email and Logs, specifically being able to properly filter and download the latter. Other than that I think I'd be fine.

What kind of logs? Please be as specific as possible. What logs do you miss beside the 4 different log directories of those components. 

LuCar Toni I have a method that works around your limitations, using the Advanced Shell, to stream packet capture to my laptop. So I can capture as much data as I want. (This is an acute problem on the XGS87, which has so little space it can't even do on-box logging, but I imagine it affects larger systems in larger environments.)

One key use of Wireshark for me was to help debug VOIP issues. Wireshark allowed me to follow the entire VOIP transaction, from SIP to RTSP, and even to play back the audio. (Well, the incoming audio, which was unencrypted -- our internal VOIP device sent out encrypted audio.)

So you're right, when the question is, "Hey, some traffic isn't getting through", or conversely, "Hey, there's some unintended traffic getting through", all you really care about are the basic headers: IP, MAC, Port, etc. So the GUI packet capture is fine. In fact, much of the time the payload of the packet is encrypted so who cares what it looks like?

But there are higher-level concerns that have to do with connections, conversations, etc, that need a larger picture and need something that can parse and show you that high-level environment.

Then there are further issues like: am I seeing lots of retransmissions, how many packets are in flight, etc, that you encounter when your end-to-end extends outside of your internal network and you're trying to figure out if it's your ISP or your VOIP vendor, or the VOIP vendor's partner in Chile, or... You may think that's not part of your responsibility but the way tech support bureaucracies work you really do need to know who doesn't get to point their finger at someone else. And you may be asked for PCAP files covering the entire transaction.

Home users don't need that. (Though we need to be careful of definitions: my installation is for home/home-office use, but I bought an XGS87 and pay for XStream and so expect the ability to play the part of a professional and use tools like Wireshark to pinpoint my VOIP problems. Which I 've done twice in the last year.)

LuCar Toni I have a method that works around your limitations, using the Advanced Shell, to stream packet capture to my laptop. So I can capture as much data as I want. (This is an acute problem on the XGS87, which has so little space it can't even do on-box logging, but I imagine it affects larger systems in larger environments.)

One key use of Wireshark for me was to help debug VOIP issues. Wireshark allowed me to follow the entire VOIP transaction, from SIP to RTSP, and even to play back the audio. (Well, the incoming audio, which was unencrypted -- our internal VOIP device sent out encrypted audio.)

So you're right, when the question is, "Hey, some traffic isn't getting through", or conversely, "Hey, there's some unintended traffic getting through", all you really care about are the basic headers: IP, MAC, Port, etc. So the GUI packet capture is fine. In fact, much of the time the payload of the packet is encrypted so who cares what it looks like?

But there are higher-level concerns that have to do with connections, conversations, etc, that need a larger picture and need something that can parse and show you that high-level environment.

Then there are further issues like: am I seeing lots of retransmissions, how many packets are in flight, etc, that you encounter when your end-to-end extends outside of your internal network and you're trying to figure out if it's your ISP or your VOIP vendor, or the VOIP vendor's partner in Chile, or... You may think that's not part of your responsibility but the way tech support bureaucracies work you really do need to know who doesn't get to point their finger at someone else. And you may be asked for PCAP files covering the entire transaction.

Home users don't need that. (Though we need to be careful of definitions: my installation is for home/home-office use, but I bought an XGS87 and pay for XStream and so expect the ability to play the part of a professional and use tools like Wireshark to pinpoint my VOIP problems. Which I 've done twice in the last year.)