Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.


Sophos Firewall Product Team

  • Hello!

    Thank you for the detailed answer, looking from Sophos perspective it makes sense to disable shell access for licenses they can't fully control; As Home Licenses can be easily obtained without any challenges or verifications. But it's still a bit of an "extreme" decision to take. (From a home user perspective)

    One of the biggest issues of not having access to advanced shell anymore is WAF Logging, which is still poor even now on v19 EAP 1.

    An example, after the WAF rejects a request based on the protection's options, the logging inside the WebUI doesn't show the minimal necessary information to debug on why the request has been blocked - such as rule id which is necessary if you want to disable a certain filter, or more information over the pattern that WAF matched - and what protection category has been trigged, such as "Protocol Enforcement" or "XSS Attacks".

    Anyways, thanks for the official answer!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 EAP1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Without the advanced shell it is impossible to change the file upload size limit for the WAF which is needed for eg. OWA or Outlook running on MAC OS. For years now Sophos is telling it's partners to use a temporary workaround to "fix" this, using the Advanced shell. It is working, at least as long as you don't edit the correspoding WAF protection policy. I even created a ticket on this, asking when this get's finally fixed, just to get the same lazy answer as everyone else: "use this temporary workaround".

    How con you treat your partners like this for years? It's a shame!

  • As for v18.5 and mail protection: you get absolutely no information why mails get dropped. The only info you get is "Mail has been dropped by policy <Policy name>". With the advanced shell you can at least review the logs and see whats going on. I Don't know if this is still the case with v19 though.

  • +1! Not being able to determine the corresponding rule id for blocked actions renders the whole WAF pretty much useless.

    You guys at Sophos have all your KBs, telling your customers and partners to use the advanced shell like in this specific case (, yet it doesn't come to your mind to just look for the answers in your very own knowledgebase? Face palm‍♂️

  • There will be a console switch for this limitation in the next upcoming version. 


  • You should be able to see the actual reason of a dropping (SMTP log) by mouse over: 


  • WAF is a problematic field of being using Advanced Shell. The question for me (personally) are the use cases of XG Home with a WAF. 
    What are you protecting with WAF as a Home user? Could you give us some particular use cases of this? 
    Is it a home cloud (owncloud etc.) or what are you publishing with a XG Home? 


  • I don't get why it is not possible to just have a GUI option in the settings of any protection policy to control this limit? This makes no sense, instead of implementing such a simple thing you telling your customers and partners to use this dirty workaround FOR YEARS!

  • Can we please keep this thread to the topic of matter? Otherwise this is not be able to be reviewed properly. Thanks.


  • Overall the whole Mail Portection on XG seems to be a "yes, we can do something with mails too"-thing. Users can't even view their very own mails logs, therefore I have to give read only access to the whole mail protection in the admin portal, which I can't give to normal users since they could see all mails, not just their own. This is just beyond me, UTMs Mail Protection is lightyears ahead of SFOS', which is a shame considering how old and dated UTM is right now. Anyway, nothing that should be discussed here.