Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 26214 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

  • 0 in reply to F Neumann

    As Prism has pointed out, I am talking about pattern updates, not firmware updates. As I said the extra coding can't be much. They already have scheduled tasks, we just need them to add that capability to the pattern updates. Can you imagine explaining to a customer that their phone calls all drop every time there is a pattern update because that is the way it is designed?!

  • 0 in reply to JasP

    So you starting to mix up different things. A pattern scheduler cannot be a solution for such an issue. The fix should be to find the core issue and figuring out why the IPS dropping those packets in the first place. 

    BTW: The workaround to disable the fastpath on affected appliance (XG/SG) seems to be very affected. I could not notice this issue on XGS hardware at all. And as far as i know, there are already fixes for this issue in place for V18.5 MR2. 

    But if you want to continue to discuss this issue, i feel this thread is not the correct place. 

    __________________________________________________________________________________________________________________

  • 0

    The logviewer is way to slow, during troubleshooting I definitly need the console ability.
    Expressed other way around - I see NO acceptable reason to deactiviate it.
    Thats independant of licensed / not licensed !
    Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
    I can't understand the reason behind thinking aout disabling that feature...

    Grüße

    Olaf Pelzer

  • 0 in reply to Prism

    The logviewer is way to slow, during troubleshooting I definitly need the console ability.
    Expressed other way around - I see NO reason to deactiviate it.
    Thats independant of licensed / not licensed !
    Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
    I can't understand the reason behind thinking aout disabling that feature...
    Please don't forget the knowledge that technicians get, when they are fiddling around with their home XGs. Imho it would be very unwise and a big step back to cancel that ability.

    Grüße

    Olaf Pelzer

  • 0 in reply to OlafPelzer

    I've done a little research and I really don't think any major competitor offers unrestricted shell access to their underlying OS. Fortinet's CLI is not a UNIX shell, it's a highly-restricted shell similar to Sophos' CLI, and it's my impression that other competitors are similar.

    So in that sense, Sophos has been offering something that their major competitors haven't and they're now saying they are moving towards withdrawing it. I can also imagine that security-wise, the Advanced Shell is pretty much impossible to audit well. A much-restricted, custom CLI (such as Sophos has and Fortinet, et al, offers) would make a lot of sense from that direction.

    That said, Sophos needs to not just enhance their GUI -- which is the point of this thread -- but also enhance their CLI so that log viewing, traffic monitoring (iftop) and other real-time tools are available for the kind of troubleshooting you're talking about. (ASCII-based tools may be primitive, but they are fast and low-overhead.)

  • 0 in reply to LuCar Toni

     I have a method that works around your limitations, using the Advanced Shell, to stream packet capture to my laptop. So I can capture as much data as I want. (This is an acute problem on the XGS87, which has so little space it can't even do on-box logging, but I imagine it affects larger systems in larger environments.)

    One key use of Wireshark for me was to help debug VOIP issues. Wireshark allowed me to follow the entire VOIP transaction, from SIP to RTSP, and even to play back the audio. (Well, the incoming audio, which was unencrypted -- our internal VOIP device sent out encrypted audio.)

    So you're right, when the question is, "Hey, some traffic isn't getting through", or conversely, "Hey, there's some unintended traffic getting through", all you really care about are the basic headers: IP, MAC, Port, etc. So the GUI packet capture is fine. In fact, much of the time the payload of the packet is encrypted so who cares what it looks like?

    But there are higher-level concerns that have to do with connections, conversations, etc, that need a larger picture and need something that can parse and show you that high-level environment.

    Then there are further issues like: am I seeing lots of retransmissions, how many packets are in flight, etc, that you encounter when your end-to-end extends outside of your internal network and you're trying to figure out if it's your ISP or your VOIP vendor, or the VOIP vendor's partner in Chile, or... You may think that's not part of your responsibility but the way tech support bureaucracies work you really do need to know who doesn't get to point their finger at someone else. And you may be asked for PCAP files covering the entire transaction.

    Home users don't need that. (Though we need to be careful of definitions: my installation is for home/home-office use, but I bought an XGS87 and pay for XStream and so expect the ability to play the part of a professional and use tools like Wireshark to pinpoint my VOIP problems. Which I 've done twice in the last year.)

  • 0 in reply to PMParth

    Hi All,

    Related to what Parth has mentioned above - I'd like to also announce that the Community Team is planning to provide free Sophos XG hardware and software licenses to our top Sophos XG Firewall group contributors as part of an ongoing revamp of our Sophos Community Member Recognition program.

    Please stay tuned to our Community blog for further details of this announcement.

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi Flo,

    thank you. I have been using my XG115W on and off since it arrived. Currently has an active support case. I am finding the XG115W is a little e underpowered for my use, so on my experience I would suggest a slightly more powerful box that an XG115W.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to FloSupport

    Odd that I advised Sophos to gift XG to best users (2016) and it did not happen until now; odd to see that TABs are back again, while in v15 and v16, I advised Sophos to bring TABs back and make sure the UI is close to UTM as, this was one of the success to UTM fame. Odds to see other things happening with a huge delay! Hurry up guys! You have good ideas on slow legs.  start thinking to change the platform! You are using agile model and changes should be out no more than 30 days and this is not happening; small changes require time of development, so where is the agile model? Community and business users are still waiting for basic features and they have been promised since v15 and still today Flow monitor like UTM is missing, useful logging is still via shell, Control Center is still using fixed resolution, we are not able to change the native vlan ID on physical NIC, NAT cloning rules is missing....I can go ahead until tomorrow with the list. Such things are missing since v15 (release date was August 2015) and you are focusing on disabling CLI access to home users? Nothing against with that, but believe me, you should concentrate efforts elsewhere, on a platform that is dynamic enough to accept fast changes. I am disappointed, as a home user, but I am very disappointed as Computer Engineering person, as I see your lacks but you towards changes you should take.

    For the community: I did not receive any XG gift from Sophos!

  • 0 in reply to lferrara

    In fact, for how the way of XG/UTM of Sohos is evolving... better to remove more pebbles to remove from the shoes?Grimacing

Cookie Information Banner