Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • Hello!

    Thank you for the detailed answer, looking from Sophos perspective it makes sense to disable shell access for licenses they can't fully control; As Home Licenses can be easily obtained without any challenges or verifications. But it's still a bit of an "extreme" decision to take. (From a home user perspective)

    One of the biggest issues of not having access to advanced shell anymore is WAF Logging, which is still poor even now on v19 EAP 1.

    An example, after the WAF rejects a request based on the protection's options, the logging inside the WebUI doesn't show the minimal necessary information to debug on why the request has been blocked - such as rule id which is necessary if you want to disable a certain filter, or more information over the pattern that WAF matched - and what protection category has been trigged, such as "Protocol Enforcement" or "XSS Attacks".

    Anyways, thanks for the official answer!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • +1! Not being able to determine the corresponding rule id for blocked actions renders the whole WAF pretty much useless.

    You guys at Sophos have all your KBs, telling your customers and partners to use the advanced shell like in this specific case (https://support.sophos.com/support/s/article/KB-000035562?language=en_US), yet it doesn't come to your mind to just look for the answers in your very own knowledgebase? Face palm‍♂️

Reply Children
  • WAF is a problematic field of being using Advanced Shell. The question for me (personally) are the use cases of XG Home with a WAF. 
    What are you protecting with WAF as a Home user? Could you give us some particular use cases of this? 
    Is it a home cloud (owncloud etc.) or what are you publishing with a XG Home? 

    __________________________________________________________________________________________________________________

  • I specifically run my own Exchange Server for my private mail domain. This is a good opportunity to test out new updates or configurations and to find problematic WAF rules. Sure, I can just migrate my 3 mailboxes to MS365, but for me WAF on home devices was always a good opportunity to test something out in a somewhat real environment without to disrupt any businesses. Additionally I publish a synology NAS through WAF to use their cloud and web functionalities.

  • Are you a Sophos Partner or Customer? Just to understand the use case here. 

    __________________________________________________________________________________________________________________

  • I am a partner. Since UTM the Home version was a good reason for many to check out Sophos firewall products in detail and I'm sure Sophos won many customers and partners just because of this version no one else offers. Sure, as a partner we get NFR licenses for our own firewall, but do I want to tinker arround with our production network? No.  wrote that the support could still access the shell, but how should I interpret this? That the support is starting to actively support home users? Really?!

    I don't see the point in all of this, except you'd tell me right now that Sophos has some clear evidence that the Home version is used commercially in a bigger scale, which I can't imagine is the case, but who knows?

    If you would supply your partners and customers with an easy way to get NFRs for virtual devices, I'd probably be happy and leave you alone with this, though I still don't get the point.

  • Essentially Sophos as a company can still access the appliance in case of bug tracking or something. For example, a Home user discovers a bug in V19.0 and wants to report it. DEV can access the appliance and investigate this issue via SupportAccess. 

    From my point of view as the most activate person in the community by far (see leader board), the advanced shell is not needed in the majority of "threads". Simply because the product is in a state of having a simple UI to get the most common issues configured or debugged via GUI. And i am talking about a new installation / configuration of a home appliance. Most home users have a average use case of simple setups. And most likely, if you look at the threads by home users, there are certain configuration issues, which do not need any interaction with the CLI. Most likely if i point to "do a packet capture" they are most comfortable with the packet capture in the GUI. 

    Sophos Product management wants to gather open spots of still use cases, which the product does not cover (today). 

    There are valuable contributions to this thread already. 

    There are currently two different programs for Partners. The partner as a organisation can get NFR licenses for its own organisation. For example for the Firewall of the partner. Then there is a program for the education. If you are a Sophos Architect (you did the training and certification) you can get all Sophos products (and a 3 year Sophos Firewall subscription) for your own environment. 

    __________________________________________________________________________________________________________________

  • Hi 

    I'm a Sophos XG Architect, where can i find those three year license you are talking about?

    Thanks.

    Bart van der Horst


    Sophos XG v18(.5) / v19 Certified Architect
    https://www.bpaz.nl

  • Im Hosting for myself Synology syc service aka Drive etc. Waf is protecting very well but false positives are common.

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb