Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 26256 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

  • 0

    One of the top reasons for me is WAF and find which rule IDs needs to be excepted:
    https://support.sophos.com/support/s/article/KB-000035562?language=en_US
    I havent found a way to do this via GUI, and even this article requires adv. shell.

    Happens each time I need to bring out a new webapp or the client app changes their behaviour.

    Also: SMTP logs, top, check/restart service health. Especially in the last days without shell I wouldnt have figured out that my hardware is defect (errand behaviour of SSD leading to PSQL crashes)

    If this is not solved I guess I will head back to UTM or even a different vendor.

    My background: Infrastructure Architect in a large international ICT corporation.

  • 0 in reply to EdmundSackbauer

    As pointed out above, we are wasting our breath. Even the workarounds that people are finding will be blocked by sophos before GA. This one is done.

    If you want to help others like Ian or do with thousands of posts, they will send you an appliance for your time. Otherwise it is what it is.

    Regards

  • 0 in reply to Wayne Folta

    If you believe the cli is blocked so they can update the SFOS cli good luck holding on to that dream. I have been asking for better logging, renaming ports (cosmetically done with v18), consistent kilobits and kilobytes usage, more advanced system graphs that show cpu and memory usage in real time; smart objects like SG where you know exactly where objects are being used anywhere in the system. In XG we get a generic can't delete foo since its being used error and no way to force delete the object. Actual throughput numbers on each interface in real time, NTP server for all the IOT traffic etc. 

  • 0 in reply to Billybob

    This is another thing that I am missing through advanced shell. Access to sql DB. With commands, you can easily see where the object to delete is used. Twice, I was not able to delete an object on v18 at home, and the objects were nowhere. At the end, I was able to search for them and delete the corresponding rule and NAT id. They were not in the GUI.

  • 0 in reply to Billybob

    This 100%! Useful features, still not implemented after years of "development". The whole "Mail Protection" on XG is a huge mess that led countless times to customer complaints that just can't and/or won't get resolved. When I started using XG instead of UTM some years ago I had hope that it will catch up soon. Today I can say for sure that Sophos has absolutely no interest in it's partners and customers. They don't care what we want, they just do what they want, ignoring the fact that we are the ones selling their messy stuff.

    Looking at this thread alone and realizing how they have their priorities set, I just contacted Fortinet to get a Lab device with license from them.

  • 0

    Ok, this is not a good sign for me.

    My use cases for the advanced shell (commercial and home edition) are the following:

    - filter logs

    - acess the databases with scripts for searching policies and reporting

    - get the WAF config via shell

    - check_mk monitoring the entire system (yes, i know this is official not supported) 

    - Troubleshooting the entire system to often….

    Sophos, serious?? No matter, which edition of the XG firewall without full shell access is not a good idea. The problems are starting with the system logs, waf logs, firewall logs,… 

    Logging at the XG GUI is horrorful, the only way you can find problems, or config issues is to search the logs on the command line with good onboard linux tools like tail, grep, less, awk,… 

    Also accessing the database and do advanced config searching is only possible in the full shell…

    What is the reason to hide the advanced shell in free versions only? I can`t get it.

    It looks like, that my migration path also in the home office is pointing in direction unify, or palo alto, i know, these are payed versions only, but they are working very good.

    This makes me really sad…

  • 0

    How would i capture and download packet traces in a home environment?

    This article is a good discription.
    Sophos Firewall: Create and download a packet capture

    How can this be done at the device console?

  • 0

    How am I supposed to change WAN configuration in console without Advanced Shell? Many cloud providers (hetzner, Ionos Cloud, Linode, Lansol, just to name a few) will deploy only /32 ip addresses to the WAN port. As a consequence, there will be no default route on XG. Previously, I was able to help myself by configuring ip route add default manually via advanced shell and enabling system appliance_access via CLI to gain temporary access to WebAdmin. Then I was able to configure the interfaces and make the routes persistent. Both of these solutions do not work anymore in v19. Do I really have to setup a client VM to access the XG locally in a cloud environment? I'm actually better off installing another firewall.

  • 0 in reply to cougz

    Are you using Sophos XG home on those vendors? Is this a real "home deployment" or business deployment? 

    __________________________________________________________________________________________________________________

Cookie Information Banner