Restricted Advance Shell - examples of challenges

The logviewer is way to slow, during troubleshooting I definitly need the console ability.
Expressed other way around - I see NO acceptable reason to deactiviate it.
Thats independant of licensed / not licensed !
Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
I can't understand the reason behind thinking aout disabling that feature...

I've done a little research and I really don't think any major competitor offers unrestricted shell access to their underlying OS. Fortinet's CLI is not a UNIX shell, it's a highly-restricted shell similar to Sophos' CLI, and it's my impression that other competitors are similar.

So in that sense, Sophos has been offering something that their major competitors haven't and they're now saying they are moving towards withdrawing it. I can also imagine that security-wise, the Advanced Shell is pretty much impossible to audit well. A much-restricted, custom CLI (such as Sophos has and Fortinet, et al, offers) would make a lot of sense from that direction.

That said, Sophos needs to not just enhance their GUI -- which is the point of this thread -- but also enhance their CLI so that log viewing, traffic monitoring (iftop) and other real-time tools are available for the kind of troubleshooting you're talking about. (ASCII-based tools may be primitive, but they are fast and low-overhead.)

Wayne Folta said:

I hate that this system bottoms out so early in the replies, so we end up "replying" to whoever posted right before us instead of who we were replying to -- once replies reach some (shallow) depth

I hate it too!!!! At least if they switch to discourse.org...

Yes it works. With "ssh admin@firewall -t /bin/sh". So i'm fine without shell access 

This will be addressed until GA. 

It's amazing how much effort and energy Sophos is pumping into this restriction. Features requested from customers years ago are still not implemented, "workarounds" for real problems that are years old are still the "solutions" you get from Sophos Support, but this will get fixed in no time? Sophos is such a joke nowadays.

Thanks for your Feedback. 

It's amazing how much effort and energy Sophos is pumping into this. Features requested by customers years ago are still not implemented, real problems that are years old are still "fixed" by lazy "workarounds" you get from the support, but this is getting adressed in no time.

I wonder how long will take to someone find a way to get root shell access through CLI.

Years ago, someone found a way as this on PAN firewalls.

If somebody finds this access, they are able to report this as a vulnerability. See: https://www.sophos.com/en-us/legal/sophos-responsible-disclosure-policy

Thanks Lucar, good to know.

If you believe the cli is blocked so they can update the SFOS cli good luck holding on to that dream. I have been asking for better logging, renaming ports (cosmetically done with v18), consistent kilobits and kilobytes usage, more advanced system graphs that show cpu and memory usage in real time; smart objects like SG where you know exactly where objects are being used anywhere in the system. In XG we get a generic can't delete foo since its being used error and no way to force delete the object. Actual throughput numbers on each interface in real time, NTP server for all the IOT traffic etc. 

If you believe the cli is blocked so they can update the SFOS cli good luck holding on to that dream. I have been asking for better logging, renaming ports (cosmetically done with v18), consistent kilobits and kilobytes usage, more advanced system graphs that show cpu and memory usage in real time; smart objects like SG where you know exactly where objects are being used anywhere in the system. In XG we get a generic can't delete foo since its being used error and no way to force delete the object. Actual throughput numbers on each interface in real time, NTP server for all the IOT traffic etc. 

This is another thing that I am missing through advanced shell. Access to sql DB. With commands, you can easily see where the object to delete is used. Twice, I was not able to delete an object on v18 at home, and the objects were nowhere. At the end, I was able to search for them and delete the corresponding rule and NAT id. They were not in the GUI.

This 100%! Useful features, still not implemented after years of "development". The whole "Mail Protection" on XG is a huge mess that led countless times to customer complaints that just can't and/or won't get resolved. When I started using XG instead of UTM some years ago I had hope that it will catch up soon. Today I can say for sure that Sophos has absolutely no interest in it's partners and customers. They don't care what we want, they just do what they want, ignoring the fact that we are the ones selling their messy stuff.

Looking at this thread alone and realizing how they have their priorities set, I just contacted Fortinet to get a Lab device with license from them.