[Sophos XG] How to execute command by ssh in firewall ?

In addition to Ian, you can log in to SSH.  select #7 on the option for shutdown

My previous answer was flagged as abuse because of empty command as example...

"  select #7 on the option for shutdown"

I dont want manually CLICK/Select. I would like to pass command through ssh command - directly.
#ssh adress + shutdown command (or any other command). Thats all - How to do that when this menu is active after being logged?

Hello,

There is no such option to disable main menu. Once you are into the advance shell. You can use the command shutdown to power off the device. 

Ok so there is no way to shutdown/reboot firewall (or whatever) by single ssh command?
You have to log in, then press number, then get to console, then put command poweroff or reboot. Really? I would suggest to sophos team to add option where you can optionally turn off this text menu. Probably i will be forced to rewrite initial script on sophos.

Hello,

What is the use case of it?

In my case - the convenience. Very often i have to turn off firewall gracefully (as it should be). Im tired doing it by webpage while it could be done by one click.  I can also imagine many administrators would welcome this (fw maintenance).

I do this all the time our devices in the lab and it works fine.  However I don't know if customer boxes are deployed differently.

Note that when doing this you don't have a bash shell (which in SFOS is busybox), so you also don't have things like a path.

ssh admin@10.0.0.1 '/bin/ls /etc/'

ssh admin@10.0.0.1 '/bin/poweroff'


You can add your ssh key for passwordless access in Administraton > Device access.

EDIT: Seems this is not possible on customer devices.  Internal sophos labs works differently.

I do this all the time our devices in the lab and it works fine.  However I don't know if customer boxes are deployed differently.

Note that when doing this you don't have a bash shell (which in SFOS is busybox), so you also don't have things like a path.

ssh admin@10.0.0.1 '/bin/ls /etc/'

ssh admin@10.0.0.1 '/bin/poweroff'


You can add your ssh key for passwordless access in Administraton > Device access.

EDIT: Seems this is not possible on customer devices.  Internal sophos labs works differently.

It looks like the ability to do this was deliberately removed in order to harden Sophos Firewall boxes from external attacks, likely in the 19.0 timeframe.  Sorry to get your hopes up.

"in order to harden Sophos Firewall boxes from external attacks"
Im wondering also what was point to remove that (if i remember well on Sophos UTM i used ssh normally just like on every other linux - hardened-server).

I dont get point with hardening in this way. If unprivileged person can login as admin - this is over and  text menu dont stop him :p. Its problem on security network level and how he/she got privilege and private key - not problem with hardnening of sophos in such odd manner.