Restricted Advance Shell - examples of challenges

Thanks for the Feedback. 

In my opinion, the problem is that Sophos is controlled by a fund. I'm a Partner but I have a Sophos XG "Home" at home where I used to do the tests. I gritted my teeth with XG15, XG 16... I agree with lferrara let's see from here to 2 years how many renewals will bring home Sophos UTM side ....

Hi Community contributors,

We are going through each example that you have highlighted due to this change (WAF logs, WAF file size limit, SMTP log, IPSec VPN debug, top/ iftop commands, etc).

Thank you for your feedback. Please continue sharing if you have more such points.

There is no no commercial or sales reasoning behind this change. Your feedback has been very helpful and we will consider improving those points in the future.

Sincerely,

Sophos Firewall Product Team

"There is no no commercial or sales reasoning behind this change."  I'm left to wonder then, what was the reasoning behind the change?  You guys didn't have anything better to do?  I don't think anybody is buying the whole "in-line with industry best practices" excuse.

Bill, I think that the direction is to reduce the attack surface and lock down the cli. The approach could be: "let's close the advanced shell to home users and analyze feedbacks, results, challenges, constraints and so on. Once everything is clear and fixed, advanced shell will be closed to appliances with licenses. Nothing against that, but before they can really do that, they need to build a strong and reliable logging capabilities on XG as UTM was. In 5 years of production experience on UTM, I accessed the console maybe 10 times for cc commands.

Just giving my 2 cents....

I think the decision to cut off that feature has been made and they will not pull back from it.

"Der Drops ist gelutscht" like we use to say here in DE.

I'm sure, Sophos community will suffer badly from this decision. Maybe  is interested for the community part of it?

I care most for the community part. As commercial support is so bad from Sophos this forums are vital for paid customers. Cannot count how often - while still waiting for answers of tech support for days or weeks - I got useful help from users here like rfcat_vk or Prism or some of the guys already posted to this topic which I believe have most of their experience from their home lab machines. I don't want to miss their experience and I'm looking forward to new experienced users to come.

Who need shell still has alternatives. Bought a new hardware for my home net FW this week. As I stumbled over this thread, guess if I chose Sophos for my home FW?

UTM was my edge firewall for years till it was abandoned by sophos. I moved to the choice you have made a few years ago and never even log in to my firewall. It just works, is secure, no remote execution problems, gui is really fast, my suricata and snort rules are tailored for me, I can choose how aggressive my blacklists are for ad blocking etc. IPv6 works, only negative would be QoS which is not as polished as linux distros and is hard to tune.

As Bill Roland pointed out, the decision had already been made and this thread was just a place holder. lferrara I agree that a stable firewall you hardly ever need cli but XG is far from it. If they wanted to close linux cli access, they needed to expand their own console OS to keep up with industry standards but they haven't done that either.   

They keep on pushing the community away and never listen to any feedback. Add aggressive deletion of posts that they don't agree with and that is what we have.

Regards.

Oh I almost forgot, they just added WAF to opnsense so check that out also when you evaluating.

I'll personally never use pfSense because of the vindictive, out-of-control behavior they demonstrated during the opnsense break. And I won't use opnsense because they're replacing their entire foundation at this point. Glad it works for you.

I also like getting updated rules on perhaps an hourly basis. If you're willing to wait a month, Snort is fine. (Suricata has no real advantages over the latest Snort, as far as I can tell.) You can get Snort updates more often, but it's not cheap.

And to really have a stable pfsense, you have to use your own hardware, which some of us have sitting around and enjoy as a part of our hobby and some of us do not.

Yep, Sophos has issues, and I've come late to the table so don't have the painful scars that some have. But it does feel like the 18 - 18.5 - 19 progression is making rapid progress, and that perhaps they needed to go to XG (over the more featureful UTM) in order to move to a multi-plane architecture. Which they had to do if they were going to be peers of all the other multi-plane firewallls.