Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 26258 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

  • 0 in reply to LuCar Toni

    Why does this matter? Both home and business XGs are affected by this. Even if I want to activate subscriptions I have to access Webadmin, which will not work in this scenario.

  • 0 in reply to cougz

    Only Trials (30 Days) and Home are affect. But its correct, you will not be able to install the appliance in this state. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No. Business XG's are also affected. You are aware that business XGs do also run on evals before subscriptions are being activated? E.g. when doing fresh install or first setup? For registration and licensing, webadmin access is necessary. So if I deployed a XG before any subscriptions are active, I will also not be able to access the Advanced Shell e.g. to change interface configuration in order to access WebAdmin in Cloud Deployments. Without Advanced Shell, there is no way around this "core issue". Tell me, how would you set up a v19 cloud XG in e.g. IONOS Cloud? Do you tell your partners and customers, they have to install a windows vm to access the XG webadmin locally from inside the datacentre? They will ditch the product right away.

  • 0 in reply to cougz

    That is correct. There is currently no workaround in case you cannot register the appliance in the first place. That is the reason, we are asking for such feedback, so Sophos can pick up those requirements. 

    About the installation process. Does IONOS support templates? Because "officially supported public cloud vendors" like AWS, Azure have templates of SFOS pre installed in there marketplace. 

    __________________________________________________________________________________________________________________

  • 0 in reply to cougz

    It's useless to argue any further. Let Sophos taste their own medicine. No advanced customers anymore with V19.

    They clearly showed, how they care about us and the answer is, not a single second. The "what are the challenges" only appeared, after the community called out the removal of the advanced shell multiple times. They could've just started this exact thread like a year ago and presented us a V19 EAP with a sufficient CLI, so that there is no need for a shell, but they did not. Tells me, they don't care about their customers in any way.

    Nothing against LuCar Toni. He is just here to help, but honestly the ship has already sailed.

  • 0 in reply to ddcool

    Throwing something out like that and just wait if an outcry from your customers/partners happens is plain cheeky and as you said: if it would've mattered to improve the product, there would've been much better ways, but this wasn't their intention. Just after they realized that they messed up, they came around with this thread. On the other hand, this is the exact bad behaviour I would've expected from Sophos.

  • 0 in reply to Dreamcatcher

    Thanks for your Feedback. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Come on LuCar, we all know that Sophos doesn't care about feedback at all.

  • 0

    For example is not possible to see the IDs of the WAF rules because we have no access to the logs, so we can not do what this KB explains

    support.sophos.com/.../KB-000035562

    In addition we should be able to edit the sensitivity with any numeric value we want.

  • 0

    holy moly, only just found this thread Rofl thought I was the only one disappointed the advanced shell was being removed.

    For me, if we're running Sophos XG at home, we're generally techies and love command line access, well, because we love that kinda thing.

    pings, traceroute, tcpdump, atop, scripting (speed test script i've written), tailing of logs, iftop, ethtool for check interface speed, ifconfig for errors/discards. just to name a few off the top of my head.

    Is my nan going to be running an XG home edition? No, she'll be using her ISP router. But for a techie, Sophos Home has been perfect and also helps build brand loyalty. My fear is you remove this from us techies, an alternative will come along, and we will move to it.

    And before you know it, we're running that at home. And next time our business reviews which firewalls we resell - ohhh let's have a look at the commercials behind product X.

    I know the argument is - use an NFR if you're a partner. Well I've got an NFR, but you're then adding - chase account manager yearly for new NFR, my NFR is for 4Gb of ram and 2 CPUs, so it's actually a downgrade from my home box. They're small things, but let me tell you, humans are lazy. I don't want to add a "chase account manager" every years for new NFR license to my todolist, if a similar product is released that removes this requirement.

    Like others have said, I think it's a mistake, but I also think you're not going to listen, so let the bygones by bygones. And see how your community "grows" in the coming years.

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

Cookie Information Banner