Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • I support that decision generally. Of cource I aggree to those now losing important logging and debugging features on the shell.

    But as licensed customer I thing this is a big Plus for my business security that hackers cannot scan the SFOS for security flaws from the inside of the OS.

    On the other hand, hackers that "earned" tousands or millions of dollars by extortions of their victims already, can easily buy a licensed cheap XG appliance and register it to some fake or real business. They'd even get support for it.

  • For me you've hit the nail on the head. I can understand deciding to remove shell access across the board to make the product more secure but it just seems completely flawed logic to leave it in for one group and remove it from another. Nobody from Sophos has given any explanation of this decision.

    "and in-line with industry best-practices" is a meaningless phrase - "Sorry darling, I'm not going to do any of the supermarket shops from now on, in-line with industry best-practices".

    Although it seems I may have been the first one to raise this change - https://community.sophos.com/sophos-xg-firewall/f/discussions/131857/loss-of-advanced-shell-in-sophos-firewall-v19 ,I haven't felt much point in contributing to the discussion as, like , I believe this is a 'done deal' and there is no going back.

  • I am a member of the community since 2011 and I have seen many home people giving huge contributions to UTM. I am a home user as I do not propose XG anymore to customer as it has so many limitations, that considering enterprise product is rediculous. Before selling XG, I ran XG at home and during the first 12 months, I opened more than 50 features requests and gave my contribution to improve the product, although PM does not listen or simply do not want to understand. Thanks to shell access, I was able to investigate in depth what the issue was when SSL VPN was not working (certificate issue and nothing in the UI), services not starting because something was missing and on and on. I am not a user that is here anymore as I am disgusted about XG and how much the product is bad and did not improved on logging and reporting, but closing even advanced shell access for home users is cutting off all great people that can give feedbacks and help here to even enterprise people coming on community,

    I have true experience where people got fast and great response here better than contacting Sophos support. I helped a lot of people in the past for finding the issue. Restricting advanced shell can improve the security of the product, but Sophos you should close the advanced shell once logging and troubleshooting is useful, quick to comprehend and complete. Log viewer and packet capture are useless most of the time. But again, I have not been very listened to the past and I am not surprising that Sophos starts now!

    Look at the NAT option. Cloning NAT rule is not possible, why? Such a simple feature would enhance usability. Server wizard creation was my idea, as creating DNAT was confusing people. Mine was even greater of the grayed and simple window they created!

    XG is sold because the price is low compared to other products and many managers now need to save money, but most of the time they do not renew the contract, as logging requires a deep knowledge specially on advanced shell that most of the system admin do not have!

  • You make good points. And `lferrara` makes a strong argument as well. I would add two things:

    1. Advanced Shell != CLI. I think most competitors offer a CLI, not unrestricted shell access to the underlying OS. Sophos could potentially add features to the CLI if there's still a need to do some things in a terminal-like environment.

    2. "Lots of software companies license software that is free for non-commercial use and paid for commercial use - identical software." This is almost always open source projects and companies that make money off of consulting services for open source projects. The examples of actual commercial software that I know of have sometimes severe feature restrictions on the free version.

    (For example, I use DaVinci Resolve as a video editor. There's a free version that does a LOT of what they paid (only $300) version does. But there are differences like its use of GPU resources, how large of a frame size it supports, many specialized filters and AI features, etc. They mainly do the paid version so cheaply to sell their video hardware.)

    Again, this could be a bad move and Sophos could lose lots of gurus that power these forums, and suggest new features, etc. Yes, there is no "have to" about this. It's a decision, and Sophos needs to pay their employees and bills and hopefully someone is weighing that tradeoff wisely and not just trying to juice sales a little bit but lose a lot of value. I can accept arguments that it's a bad idea. I can't accept arguments that they have no conceivable reason for making the decision.

  • We need to talk about the persona affected by this change. 
    From what i can tell: Most people here are Sophos Partner? Or am i wrong about that? Is one single person in this thread a home user with no ties to Sophos or a customer, using this product at home? 

    Because a Sophos Partner "Persona" is not affected by this, if he/she is a certificate sophos architect. A Sophos architect can simply request a valid license with xStream Protection (additional features compared to Home). for his home deployment. So this persona can still do everything like before and even got more features. I highly encourage you to simply request this license and use it going forward. It is related even to a Central license for features for EP. So you could actually rebuild the entire Sophos ACE Stack and not only the firewall.

    The persona of "home user" will be restricted. The persona with no ties to Sophos in such manner. If a customer persona (a customer using Sophos firewall in his company) wants to have a valid license for his testing / home, Sophos Sales could be involved to discuss the possibilities. 

    Most of the points in this sub thread are about the work of a Sophos partner (architect). Testing, implementing, looking for configuration at home first. 

    But still i am standing by the assumption, a Sophos home user persona will properly not notice this change.

    __________________________________________________________________________________________________________________

  • I am an end user that uses home license. I have many friends who deploy firewalls and I probably can get an NFR license but there was never a need. I have already stated how I will be affected by this change.

    Regards

  • Sophos stopped listening to feedback from community around v16 and started actively deleting posts with v18. I don't post anymore since it is waste of time once the decision has been made by the PM. 

    As far as pfsense/opnsense etc. You can run pfblockerng for blacklists and use a dns forwarder like 1.1.1.3 etc that will do everything that XG does. If you don't pay for snort rules, the free version is a little behind on updates but good enough for home use. Only thing that sophos offers extra at that point is antivirus. There are many antivirus companies that give free versions for endpoints so that is not that big of a deal either.

    I learned the hard way from using vyatta that free versions can be taken away quickly. I had always supported the astaro guys and then the sophos team but at this point whatever they decide is up to them and frankly the feedback here is more of a back and forth between us end users.

    Regards

  • Well said. Lucar does not understand! Sorry, Lucar, but sometimes you seem to be a robot. I left the community in 2020 and your behaviour is the same "copy and paste". Sophos is going good for intercept X and Endpoint. Even spam filtering is bad now as other products do the job much better. UTM was another story and if many Sophos newbies employees are in the Firewall group here, because of the success of Astaro and not because the Cyberoam OS upgrade to XG. But again, it is a wasted breath!

    Sophos should count how many partners and customer renew the license and not how many license they sell thoughout the year! Smart companies count how many employees they are able to keep at the end of the year, and not how many employees the comany hires! Among the years, I have seen very bad engineering knowledge here and the few people that are computer engineering design the product using datasheet or data, without calculating the "error". Error here is not listening in the proper way, but using the old fashion: Gold partner or distributors. I know several Gold Partner that they are ignorants on the products. Many distributors are there because they sell big deals and they do not care if the product has a feature, but they care on products having the great discounts. Sophos should start using new technologies and go directly to end users, as passing feature request from end users to partner and to distributors, most of the information is lost! But again, it is a wasted breath!

    Unfortunately, I am reasoning as a Computer Engineering with years and years of experience....

  • This reply was deleted.

    __________________________________________________________________________________________________________________

  • Thanks for the Feedback. 

    __________________________________________________________________________________________________________________

  • In my opinion, the problem is that Sophos is controlled by a fund. I'm a Partner but I have a Sophos XG "Home" at home where I used to do the tests. I gritted my teeth with XG15, XG 16... I agree with lferrara let's see from here to 2 years how many renewals will bring home Sophos UTM side ....

Reply Children
No Data