Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

Hi Community,

Having trouble accessing the Web Admin of your Sophos Firewall?

Note: The information below is taken from the KB:Sophos Firewall: Troubleshooting steps when unable to access the GUI

Check the connectivity to the Sophos Firewall 

1. Verify the IP and port through which you are accessing the firewall is correct. If it’s correct follow the steps  in Connect to the Sophos Firewall from the CLI section Otherwise try to access the device on the correct IP and port.
2. Verify if the Firewall is live though PING on LAN/DMZ/WAN IP of the Sophos Firewall.
3. Try to access the User Portal
   • https://<LAN_IP_OF_SophosFirewall>:<Port(default port is 443)>
4. Try to use another browser.
5. Try to SSH to the firewall on its LAN interface IP on port 22 via putty. If you get the access to the firewall, follow the steps in Check the tcpdump output and logs section.

Connect to the Sophos Firewall from the CLI

1.  Refer to Sophos Firewall: How to setup a Serial connection with a console cable 
2. Verify if the appliance access is disabled by running the following command from the console: 

   system appliance_access show

   

3. If the Appliance access is disabled, we need to enable it with the following command.

   system appliance_access enable

   Note: This will cause a network interruption and it will override the configured Appliance Access and allow access to all the services.

4. Try to log into the GUI, if it is successful:
   1. go to Administration > Device access to enable HTTPS on the required zone.

       

   2. Disable the Appliance access from the CLI using the following command:

      system appliance_access disable

      

   3. For Further analysis, you can do a Packet capture when you're trying to access the GUI to find out more about the root cause. Read more in Sophos Firewall: How to filter packets using packet capture.

5.  If the GUI still inaccessible, verify the configured destination port used for https GUI access using the following command:

   psql -U nobody -d corporate -c "select destinationport from tbllocalservicedetails WHERE localserviceid =2"

6. Continue to the following sections. 

Check the tcpdump output and logs

1. Make sure the date and time are set correctly on the firewall. This helps analyzing the tcpdump output accurately. 
2. From the Advanced Shell CLI, run the following command while accessing the GUI:

   tcpdump -nei any port 4444 <or any port which you have configured to access the firewall>

3. Analyze if there is traffic that reaches the Firewall, if not, that means something else out of the Sophos perimeter is blocking the traffic. 
4. If there’s no drop packet while accessing the Firewall, check the following logs for further analysis:
   • tomcat.log
   • csc.log
   • syslog.log

Note: Use these commands:

tail -f /log/tomcat.log

tail -f /log/csc.log

tail -f /log/syslog.log

Check and restart services

1. Check services status using the following command

   service -S (will show status of all services)

2. Specifically, you need to check the status of tomcat service (service of GUI) using the following command:
   

   service -S | grep  -iE 'tomcat|apache' (After grep you can specify any service name which you would like to grep)

3. If the tomcat or apache service shows STOPPED, start it respectively with the following command.

   service tomcat:start -ds nosync

   service apache:start -ds nosync

4. If tomcat or apache service shows DEAD, use the below command respectively to restart it.

   service tomcat:restart -ds nosync

   service apache:restart -ds nosync 

Reset the web admin console certificate to default device certificate

1. From the Advanced Shell CLI:
   • Choose option 2. System Configuration
   • Then option 4. Reset Default Web Admin Certificate
2. Type Y to the following message:

   

3. This should reset the admin certificate to its default which is ApplianceCertificate.

Additional Troubleshooting Suggestions

• If you are unable to access the Web Admin from a certain zone, first check your Local Service ACLs:
  • Example: You can access the Web Admin via LAN, but not via the Wifi zone?
    • Check if HTTPS Device Access is enabled for that zone
    • Administration > Device Access > Local Service ACL
      
      
      
      Note: To configure only certain IPs to access local services (HTTPS, etc.) check out Local Service ACL: How to Configure a Local Service ACL Exception Rule
      
• Check if your device's Certificate Authority is up to date:
  
  • Certificates > Certificate Authorities > Default
    
    
    
    
• Confirm which web admin certificate is being used:
  
  • Administration > Admin & User Setting> Admin Console and user-user interaction > Certificate
    
    
    
    
• Check if a conflicting DNAT/Business Application rule has been created for the web admin port (Default: 4444)

Updated link Added Horizontal Lines Pending: Add Overview, Table of Contents and correct grammar
[edited by: Erick Jan at 6:40 AM (GMT -8) on 22 Nov 2023]