Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 26248 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • 0

    The logviewer is way to slow, during troubleshooting I definitly need the console ability.
    Expressed other way around - I see NO acceptable reason to deactiviate it.
    Thats independant of licensed / not licensed !
    Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
    I can't understand the reason behind thinking aout disabling that feature...

    Grüße

    Olaf Pelzer

  • 0 in reply to OlafPelzer

    I've done a little research and I really don't think any major competitor offers unrestricted shell access to their underlying OS. Fortinet's CLI is not a UNIX shell, it's a highly-restricted shell similar to Sophos' CLI, and it's my impression that other competitors are similar.

    So in that sense, Sophos has been offering something that their major competitors haven't and they're now saying they are moving towards withdrawing it. I can also imagine that security-wise, the Advanced Shell is pretty much impossible to audit well. A much-restricted, custom CLI (such as Sophos has and Fortinet, et al, offers) would make a lot of sense from that direction.

    That said, Sophos needs to not just enhance their GUI -- which is the point of this thread -- but also enhance their CLI so that log viewing, traffic monitoring (iftop) and other real-time tools are available for the kind of troubleshooting you're talking about. (ASCII-based tools may be primitive, but they are fast and low-overhead.)

  • 0 in reply to Prism

    Thanks for the specifics. I've been going on my impressions, not based on usage.

    `fnsysctl` isn't a shell, though, right? It lets you run certain commands. But that's pretty much par for a CLI. They're going to eventually call out to actual commands, some of which are named the same as they are on the system. "grep", "tcpdump", "kill". But it's my impression that you are restricted as to what you can do. For example, in Sophos' case, "tcpdump" from the CLI does not take all of the arguments that you get from the shell and it even renames some of the arguments that it does allow.

    Whether a CLI is implemented entirely in C or C++ or something and only uses library calls -- a lot of work considering that a Linux/UNIX OS will have hundreds of executables ready to do those jobs -- or they will validate and filter arguments and use OS executables. Or maybe both. (I suspect Sophos CLI uses both methods.)

    Checkpoint is interesting. Cisco is surprising, I didn't know that. In either case, I think Sophos is bringing to bear Sophos Labs and their MTR work and "living off of the land" is a big cybersecurity threat right now, so providing shell access is actually a bad practice.

    I think your last point is the key: Sophos offered Advanced Shell and it's essentially been a crutch that justified them not improving the CLI or the GUI. PAN didn't need to do that. Fortinet mostly-didn't need to do that, Cisco is the odd one here

  • 0 in reply to Wayne Folta

    To be honest here, do you have a home license on v19 EAP?

    Can't you just "ssh firewall -t /bin/sh" and move on with your life? Or they actually blocked anything involving "/bin/sh"?

    I'm currently on a XG appliance, so I can't verify if this works.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    I hate that this system bottoms out so early in the replies, so we end up "replying" to whoever posted right before us instead of who we were replying to -- once replies reach some (shallow) depth. So not sure if you were replying to me. (I have an XGS appliance, so also can't test.) I could swear that I've read that home users can't work around this with SSH. I could be mis-remembering, though.

    (On a lighter note, I have a cool little script I did to stream `tcpdump` output to my laptop for unlimited captures, and I worked it all out with `expect` and going through the CLI that appears if you just `ssh`. Would have been much simpler if I'd thought about `-t` working.)

  • 0 in reply to Wayne Folta
    Wayne Folta said:
    I hate that this system bottoms out so early in the replies, so we end up "replying" to whoever posted right before us instead of who we were replying to -- once replies reach some (shallow) depth

    I hate it too!!!! At least if they switch to discourse.org...Tired face

  • 0 in reply to Prism

    Yes it works. With "ssh admin@firewall -t /bin/sh". So i'm fine without shell access Joy

  • 0 in reply to cougarman

    This will be addressed until GA. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It's amazing how much effort and energy Sophos is pumping into this restriction. Features requested from customers years ago are still not implemented, "workarounds" for real problems that are years old are still the "solutions" you get from Sophos Support, but this will get fixed in no time? Sophos is such a joke nowadays.

  • 0 in reply to Dreamcatcher

    Thanks for your Feedback. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It's amazing how much effort and energy Sophos is pumping into this. Features requested by customers years ago are still not implemented, real problems that are years old are still "fixed" by lazy "workarounds" you get from the support, but this is getting adressed in no time.

  • 0 in reply to LuCar Toni

    I wonder how long will take to someone find a way to get root shell access through CLI.

    Years ago, someone found a way as this on PAN firewalls.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply Children
Cookie Information Banner