Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • I support that decision generally. Of cource I aggree to those now losing important logging and debugging features on the shell.

    But as licensed customer I thing this is a big Plus for my business security that hackers cannot scan the SFOS for security flaws from the inside of the OS.

    On the other hand, hackers that "earned" tousands or millions of dollars by extortions of their victims already, can easily buy a licensed cheap XG appliance and register it to some fake or real business. They'd even get support for it.

  • For me you've hit the nail on the head. I can understand deciding to remove shell access across the board to make the product more secure but it just seems completely flawed logic to leave it in for one group and remove it from another. Nobody from Sophos has given any explanation of this decision.

    "and in-line with industry best-practices" is a meaningless phrase - "Sorry darling, I'm not going to do any of the supermarket shops from now on, in-line with industry best-practices".

    Although it seems I may have been the first one to raise this change - https://community.sophos.com/sophos-xg-firewall/f/discussions/131857/loss-of-advanced-shell-in-sophos-firewall-v19 ,I haven't felt much point in contributing to the discussion as, like , I believe this is a 'done deal' and there is no going back.

  • +1 LHerzog. We do want knowledgeable folks here.

    At the same time, what alternative is there that people would flee to? I compared pfSense and to get the same value I'm getting, I'd pay about as much. (I don't have lots of servers sitting around the house, so would end up purchasing new hardware, and subscribing to real-time Snort updates is not cheap.) There are inexpensive alternatives (again, assuming you have hardware already and aren't subscribing to updates) like Untangle. And that's pretty much it.

    I don't want to suggest that Sophos has a captive audience, but at the same time I think their Home XG is a unique product. Cisco, PAN, Fortinet, et al don't have anything comparable. And if you choose -- as I have -- to pay up and run on an XGS appliance you actually get a dual-plane firewall which free alternatives will never have.

  • Yes, the "industry standard practices" explanation is stupid. Someone in marketing should have their Christmas bonus rescinded for coming up with that one.

    But the real explanation is simple: 1) there should be some differentiations between paid and free such that there is some reason for those requiring higher performance to upgrade to paid, and 2) paying customers are more likely as a group to need and to be able to use unrestricted shell access.

    Sophos has already improved several aspects (logging, etc) so that you don't more than the GUI, and this topic is a way for them to gather other use cases. If they make the WAF configuration possible from the GUI, that actually increases the usability for the vast majority of home users while also eliminating non-esoteric reasons for them wreaking havoc by blindly following someone's instructions and going into the Advanced Shell.

  • Why does there have to be differentiation between paid and free? There is no have about it, it's a choice. Lots of software companies licence software that is free for non-commercial use and paid for commercial use - identical software. They, and Sophos, don't do it out of the goodness of their hearts, they do it because it makes commercial sense. It generates interest and knowledge of their products that they hope will be converted to a commercial involvement further down the road.

    The sort of people who use a home licence aren't your average home user. Most home users struggle to change the default password on their ISP supplied router! A lot of home licences will be used by people who already have an involvement with IT and may even have some influence in what is used at work. Giving these people a free home licence costs Sophos almost nothing. Worst case scenario it improves brand awareness, best case it leads to commercial sales.

    I have a small IT company supporting SMBs. I used Sophos UTM at home for over a year and then switched to XG as that was where Sophos seemed to be going. There came a point where we looking to get customers investing in better solutions than simple ACL firewalls. Our experience was all with Cisco but their solutions were not cost effective for our customer base. We were also looking to replace Symantec following their sale to Broadcom. By this time, I had been using Sophos XG at home for over a year and was confident that it would make a suitable solution for our customers. Since then, our firewall and endpoint protection solution has been Sophos. All this was because Sophos initially made available a free Home licence that allowed me over a long period of time to gain experience and enough confidence with their product.

    It is also clear from this thread that a lot of people use their home XG to 'play' and 'test' and hone their knowledge and skills. Everything I have implemented at work and for our customers was first tried out at home. I am far more likely to want/risk access to the shell on my home XG than a work or customer XG. That's just about professional responsibility.

    It is clear that a significant number of people here use their home setups in the same way I do. Some of these people are extremely knowledgeable and I have benefited from their knowledge and Sophos staff contributions in this forum. It would be a great shame to lose any of those people's contributions as I would rate this forum as one of the best things about Sophos.

  • I am a member of the community since 2011 and I have seen many home people giving huge contributions to UTM. I am a home user as I do not propose XG anymore to customer as it has so many limitations, that considering enterprise product is rediculous. Before selling XG, I ran XG at home and during the first 12 months, I opened more than 50 features requests and gave my contribution to improve the product, although PM does not listen or simply do not want to understand. Thanks to shell access, I was able to investigate in depth what the issue was when SSL VPN was not working (certificate issue and nothing in the UI), services not starting because something was missing and on and on. I am not a user that is here anymore as I am disgusted about XG and how much the product is bad and did not improved on logging and reporting, but closing even advanced shell access for home users is cutting off all great people that can give feedbacks and help here to even enterprise people coming on community,

    I have true experience where people got fast and great response here better than contacting Sophos support. I helped a lot of people in the past for finding the issue. Restricting advanced shell can improve the security of the product, but Sophos you should close the advanced shell once logging and troubleshooting is useful, quick to comprehend and complete. Log viewer and packet capture are useless most of the time. But again, I have not been very listened to the past and I am not surprising that Sophos starts now!

    Look at the NAT option. Cloning NAT rule is not possible, why? Such a simple feature would enhance usability. Server wizard creation was my idea, as creating DNAT was confusing people. Mine was even greater of the grayed and simple window they created!

    XG is sold because the price is low compared to other products and many managers now need to save money, but most of the time they do not renew the contract, as logging requires a deep knowledge specially on advanced shell that most of the system admin do not have!

  • You make good points. And `lferrara` makes a strong argument as well. I would add two things:

    1. Advanced Shell != CLI. I think most competitors offer a CLI, not unrestricted shell access to the underlying OS. Sophos could potentially add features to the CLI if there's still a need to do some things in a terminal-like environment.

    2. "Lots of software companies license software that is free for non-commercial use and paid for commercial use - identical software." This is almost always open source projects and companies that make money off of consulting services for open source projects. The examples of actual commercial software that I know of have sometimes severe feature restrictions on the free version.

    (For example, I use DaVinci Resolve as a video editor. There's a free version that does a LOT of what they paid (only $300) version does. But there are differences like its use of GPU resources, how large of a frame size it supports, many specialized filters and AI features, etc. They mainly do the paid version so cheaply to sell their video hardware.)

    Again, this could be a bad move and Sophos could lose lots of gurus that power these forums, and suggest new features, etc. Yes, there is no "have to" about this. It's a decision, and Sophos needs to pay their employees and bills and hopefully someone is weighing that tradeoff wisely and not just trying to juice sales a little bit but lose a lot of value. I can accept arguments that it's a bad idea. I can't accept arguments that they have no conceivable reason for making the decision.

  • We need to talk about the persona affected by this change. 
    From what i can tell: Most people here are Sophos Partner? Or am i wrong about that? Is one single person in this thread a home user with no ties to Sophos or a customer, using this product at home? 

    Because a Sophos Partner "Persona" is not affected by this, if he/she is a certificate sophos architect. A Sophos architect can simply request a valid license with xStream Protection (additional features compared to Home). for his home deployment. So this persona can still do everything like before and even got more features. I highly encourage you to simply request this license and use it going forward. It is related even to a Central license for features for EP. So you could actually rebuild the entire Sophos ACE Stack and not only the firewall.

    The persona of "home user" will be restricted. The persona with no ties to Sophos in such manner. If a customer persona (a customer using Sophos firewall in his company) wants to have a valid license for his testing / home, Sophos Sales could be involved to discuss the possibilities. 

    Most of the points in this sub thread are about the work of a Sophos partner (architect). Testing, implementing, looking for configuration at home first. 

    But still i am standing by the assumption, a Sophos home user persona will properly not notice this change.

    __________________________________________________________________________________________________________________

  • I am a home user; is an home user too.

  • I am an end user that uses home license. I have many friends who deploy firewalls and I probably can get an NFR license but there was never a need. I have already stated how I will be affected by this change.

    Regards

  • Sophos stopped listening to feedback from community around v16 and started actively deleting posts with v18. I don't post anymore since it is waste of time once the decision has been made by the PM. 

    As far as pfsense/opnsense etc. You can run pfblockerng for blacklists and use a dns forwarder like 1.1.1.3 etc that will do everything that XG does. If you don't pay for snort rules, the free version is a little behind on updates but good enough for home use. Only thing that sophos offers extra at that point is antivirus. There are many antivirus companies that give free versions for endpoints so that is not that big of a deal either.

    I learned the hard way from using vyatta that free versions can be taken away quickly. I had always supported the astaro guys and then the sophos team but at this point whatever they decide is up to them and frankly the feedback here is more of a back and forth between us end users.

    Regards

  • Well said. Lucar does not understand! Sorry, Lucar, but sometimes you seem to be a robot. I left the community in 2020 and your behaviour is the same "copy and paste". Sophos is going good for intercept X and Endpoint. Even spam filtering is bad now as other products do the job much better. UTM was another story and if many Sophos newbies employees are in the Firewall group here, because of the success of Astaro and not because the Cyberoam OS upgrade to XG. But again, it is a wasted breath!

    Sophos should count how many partners and customer renew the license and not how many license they sell thoughout the year! Smart companies count how many employees they are able to keep at the end of the year, and not how many employees the comany hires! Among the years, I have seen very bad engineering knowledge here and the few people that are computer engineering design the product using datasheet or data, without calculating the "error". Error here is not listening in the proper way, but using the old fashion: Gold partner or distributors. I know several Gold Partner that they are ignorants on the products. Many distributors are there because they sell big deals and they do not care if the product has a feature, but they care on products having the great discounts. Sophos should start using new technologies and go directly to end users, as passing feature request from end users to partner and to distributors, most of the information is lost! But again, it is a wasted breath!

    Unfortunately, I am reasoning as a Computer Engineering with years and years of experience....

Reply
  • Well said. Lucar does not understand! Sorry, Lucar, but sometimes you seem to be a robot. I left the community in 2020 and your behaviour is the same "copy and paste". Sophos is going good for intercept X and Endpoint. Even spam filtering is bad now as other products do the job much better. UTM was another story and if many Sophos newbies employees are in the Firewall group here, because of the success of Astaro and not because the Cyberoam OS upgrade to XG. But again, it is a wasted breath!

    Sophos should count how many partners and customer renew the license and not how many license they sell thoughout the year! Smart companies count how many employees they are able to keep at the end of the year, and not how many employees the comany hires! Among the years, I have seen very bad engineering knowledge here and the few people that are computer engineering design the product using datasheet or data, without calculating the "error". Error here is not listening in the proper way, but using the old fashion: Gold partner or distributors. I know several Gold Partner that they are ignorants on the products. Many distributors are there because they sell big deals and they do not care if the product has a feature, but they care on products having the great discounts. Sophos should start using new technologies and go directly to end users, as passing feature request from end users to partner and to distributors, most of the information is lost! But again, it is a wasted breath!

    Unfortunately, I am reasoning as a Computer Engineering with years and years of experience....

Children