Restricted Advance Shell - examples of challenges

I support that decision generally. Of cource I aggree to those now losing important logging and debugging features on the shell.

But as licensed customer I thing this is a big Plus for my business security that hackers cannot scan the SFOS for security flaws from the inside of the OS.

On the other hand, hackers that "earned" tousands or millions of dollars by extortions of their victims already, can easily buy a licensed cheap XG appliance and register it to some fake or real business. They'd even get support for it.

I support that decision generally. Of cource I aggree to those now losing important logging and debugging features on the shell.

But as licensed customer I thing this is a big Plus for my business security that hackers cannot scan the SFOS for security flaws from the inside of the OS.

On the other hand, hackers that "earned" tousands or millions of dollars by extortions of their victims already, can easily buy a licensed cheap XG appliance and register it to some fake or real business. They'd even get support for it.

Or... they could get a trial license which have the shell on it.

And get access to almost all products at the same time for a month.

true

For me you've hit the nail on the head. I can understand deciding to remove shell access across the board to make the product more secure but it just seems completely flawed logic to leave it in for one group and remove it from another. Nobody from Sophos has given any explanation of this decision.

"and in-line with industry best-practices" is a meaningless phrase - "Sorry darling, I'm not going to do any of the supermarket shops from now on, in-line with industry best-practices".

Although it seems I may have been the first one to raise this change - https://community.sophos.com/sophos-xg-firewall/f/discussions/131857/loss-of-advanced-shell-in-sophos-firewall-v19 ,I haven't felt much point in contributing to the discussion as, like Prism, I believe this is a 'done deal' and there is no going back.

The logic isn't flawed: one group is paying and the other isn't. So there are two reasons for doing what they are proposing:

1. Give paying customers additional value, and give non-paying customers a little bit more incentive to upgrade.

2. Paying customers are more likely to have knowledgeable, dedicated personnel to manage the firewall. This means that the extra flexibility is less likely to cause problems for Sophos (and the customer), and that the customer is more likely to not accept limitations on what they can do. (And since they're paying customers, you don't want to restrict them in comparison to your competitors.)

This all started because Sophos marketing decided to try to improve the optics by talking about "industry standard", which focuses people on  "more secure". But that's not the issue at all. It's a marketing decision (#1, above), and a marketing/support decision (#2), and isn't truly related to "best practices" in the same way that no longer being able to redisplay the QR code for an OTP.

maybe Sophos PM listens carefully. I hope.

We'll lose some highly skilled guys here running their home versions.

Eventually a solution for both sides would be to enable the tools raised in this thread in SSH or a limited SSH-style box that can be run from GUI.

Or spend some NFR licenses to those big contributors without paid license of this forums at least.

There's no way that Sophos is changing anything back and yeah, no real explanation although asked for multiple times and for sure there won't be any further explanation in the future. That's Sophos. Last update on their SPX Outlook add-in was waaaay back in 2013, gives you nice error messages when installing it with modern Outlook 365, but hey: resticting home users seems more important than actually fixing their products. #facepalm

I've received an XG115w Rev.3 from Sophos last month, and I've been using since then. (Including all licenses for 3 years.)

But even then, it's sad to see a feature which I used for such a long time on my own home license getting removed without a good explanation.

+1 LHerzog. We do want knowledgeable folks here.

At the same time, what alternative is there that people would flee to? I compared pfSense and to get the same value I'm getting, I'd pay about as much. (I don't have lots of servers sitting around the house, so would end up purchasing new hardware, and subscribing to real-time Snort updates is not cheap.) There are inexpensive alternatives (again, assuming you have hardware already and aren't subscribing to updates) like Untangle. And that's pretty much it.

I don't want to suggest that Sophos has a captive audience, but at the same time I think their Home XG is a unique product. Cisco, PAN, Fortinet, et al don't have anything comparable. And if you choose -- as I have -- to pay up and run on an XGS appliance you actually get a dual-plane firewall which free alternatives will never have.

Yes, the "industry standard practices" explanation is stupid. Someone in marketing should have their Christmas bonus rescinded for coming up with that one.

But the real explanation is simple: 1) there should be some differentiations between paid and free such that there is some reason for those requiring higher performance to upgrade to paid, and 2) paying customers are more likely as a group to need and to be able to use unrestricted shell access.

Sophos has already improved several aspects (logging, etc) so that you don't more than the GUI, and this topic is a way for them to gather other use cases. If they make the WAF configuration possible from the GUI, that actually increases the usability for the vast majority of home users while also eliminating non-esoteric reasons for them wreaking havoc by blindly following someone's instructions and going into the Advanced Shell.

Trial SFOS does not have Advanced Shell. Only payed License.