Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • Without the advanced shell it is impossible to change the file upload size limit for the WAF which is needed for eg. OWA or Outlook running on MAC OS. For years now Sophos is telling it's partners to use a temporary workaround to "fix" this, using the Advanced shell. It is working, at least as long as you don't edit the correspoding WAF protection policy. I even created a ticket on this, asking when this get's finally fixed, just to get the same lazy answer as everyone else: "use this temporary workaround".

    How con you treat your partners like this for years? It's a shame!

  • There will be a console switch for this limitation in the next upcoming version. 

    __________________________________________________________________________________________________________________

  • I don't get why it is not possible to just have a GUI option in the settings of any protection policy to control this limit? This makes no sense, instead of implementing such a simple thing you telling your customers and partners to use this dirty workaround FOR YEARS!

  • Can we please keep this thread to the topic of matter? Otherwise this is not be able to be reviewed properly. Thanks.

    __________________________________________________________________________________________________________________

  • Overall the whole Mail Portection on XG seems to be a "yes, we can do something with mails too"-thing. Users can't even view their very own mails logs, therefore I have to give read only access to the whole mail protection in the admin portal, which I can't give to normal users since they could see all mails, not just their own. This is just beyond me, UTMs Mail Protection is lightyears ahead of SFOS', which is a shame considering how old and dated UTM is right now. Anyway, nothing that should be discussed here.

Reply
  • Overall the whole Mail Portection on XG seems to be a "yes, we can do something with mails too"-thing. Users can't even view their very own mails logs, therefore I have to give read only access to the whole mail protection in the admin portal, which I can't give to normal users since they could see all mails, not just their own. This is just beyond me, UTMs Mail Protection is lightyears ahead of SFOS', which is a shame considering how old and dated UTM is right now. Anyway, nothing that should be discussed here.

Children