Hi Community contributors,
Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.
Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.
Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.
Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.
Sophos Firewall Product Team
Well said. Lucar does not understand! Sorry, Lucar, but sometimes you seem to be a robot. I left the community in 2020 and your behaviour is the same "copy and paste". Sophos is going good for intercept…
We are going through each example that you have highlighted due to this change (WAF logs, WAF file size limit, SMTP log, IPSec VPN debug, top/ iftop commands, etc).
Thank you for your feedback. Please continue sharing if you have more such points.
There is no no commercial or sales reasoning behind this change. Your feedback has been very helpful and we will consider improving those points in the future.
"There is no no commercial or sales reasoning behind this change." I'm left to wonder then, what was the reasoning behind the change? You guys didn't have anything better to do? I don't think anybody is buying the whole "in-line with industry best practices" excuse.
Bill, I think that the direction is to reduce the attack surface and lock down the cli. The approach could be: "let's close the advanced shell to home users and analyze feedbacks, results, challenges, constraints and so on. Once everything is clear and fixed, advanced shell will be closed to appliances with licenses. Nothing against that, but before they can really do that, they need to build a strong and reliable logging capabilities on XG as UTM was. In 5 years of production experience on UTM, I accessed the console maybe 10 times for cc commands.
Just giving my 2 cents....
I think the decision to cut off that feature has been made and they will not pull back from it.
"Der Drops ist gelutscht" like we use to say here in DE.
I'm sure, Sophos community will suffer badly from this decision. Maybe Sarah Buendia is interested for the community part of it?
I care most for the community part. As commercial support is so bad from Sophos this forums are vital for paid customers. Cannot count how often - while still waiting for answers of tech support for days or weeks - I got useful help from users here like rfcat_vk or Prism or some of the guys already posted to this topic which I believe have most of their experience from their home lab machines. I don't want to miss their experience and I'm looking forward to new experienced users to come.
Who need shell still has alternatives. Bought a new hardware for my home net FW this week. As I stumbled over this thread, guess if I chose Sophos for my home FW?
UTM was my edge firewall for years till it was abandoned by sophos. I moved to the choice you have made a few years ago and never even log in to my firewall. It just works, is secure, no remote execution problems, gui is really fast, my suricata and snort rules are tailored for me, I can choose how aggressive my blacklists are for ad blocking etc. IPv6 works, only negative would be QoS which is not as polished as linux distros and is hard to tune.
As Bill Roland pointed out, the decision had already been made and this thread was just a place holder. lferrara I agree that a stable firewall you hardly ever need cli but XG is far from it. If they wanted to close linux cli access, they needed to expand their own console OS to keep up with industry standards but they haven't done that either.
They keep on pushing the community away and never listen to any feedback. Add aggressive deletion of posts that they don't agree with and that is what we have.
Oh I almost forgot, they just added WAF to opnsense so check that out also when you evaluating.
I'll personally never use pfSense because of the vindictive, out-of-control behavior they demonstrated during the opnsense break. And I won't use opnsense because they're replacing their entire foundation at this point. Glad it works for you.
I also like getting updated rules on perhaps an hourly basis. If you're willing to wait a month, Snort is fine. (Suricata has no real advantages over the latest Snort, as far as I can tell.) You can get Snort updates more often, but it's not cheap.
And to really have a stable pfsense, you have to use your own hardware, which some of us have sitting around and enjoy as a part of our hobby and some of us do not.
Yep, Sophos has issues, and I've come late to the table so don't have the painful scars that some have. But it does feel like the 18 - 18.5 - 19 progression is making rapid progress, and that perhaps they needed to go to XG (over the more featureful UTM) in order to move to a multi-plane architecture. Which they had to do if they were going to be peers of all the other multi-plane firewallls.
Snort rules are not released on an hourly basis. Snort community rules are free for home users and are released every day and are not 30 days behind. Regardless, I am not arguing against the benefits of having a full featured firewall doing everything for you and thats what made sophos/astaro so great for most of us home users. And as much as I have appreciated their full featured firewall free for home use, I am tired of their constant disregard and sometimes hostile stance against certain community members.
Suricata has definite benefit over old snort version that is used in XG and SG. Only reason they stuck with snort is OpenAppId which is a logical choice for layer 7/nextgen firewall. As far as the netgate/pfsense employees behavior and their failures on certain releases, its well documented on reddit etc. and I am by no means advocating what any users should use here. In fact till a few years ago, it was a no brainer to run sophos software for free at home and if it still fulfills your needs, by all means use what you like.
I understand that Snort rules aren't released on an hourly basis. However Sophos checks for pattern updates on an hourly basis which means I could get them as soon as an hour after release. If you get your Snort rules for free, they are in fact delayed 30 days. That's one of the things they offer you for your shopping dollar: "get updates 30 days sooner".
I'm not sure if they offered the personal ($30/year) plan when I researched it before buying Sophos. All I remembered was the $400/year Business plan. (Though when I just looked at their website, they do still seem to differentiate the extent of rules they make available to personal versus business.)
Yes, Sophos uses old Snort, just running multiple copies because it isn't multithreaded. Which was Suricate's claim to fame. Which has apparently been negated with the latest Snort. Not saying Sophos' use case is better, just saying that Suricata has seemingly lost its main claim to fame (being multi-threaded) as an advantage. Seems to me that if you're not locked into a commercial vendor, why use Suricata?
Hah, you had me at "reduce the attack surface", that was a good one. For the past couple of days I partly reverse engineered the XG and now know, that the attack surface is not what is reduced. And there are enough ways to get into the shell access even as a home user. This is just a "Have an iron door on a mud hut" thing.
By the way, the CLI is just a shell script, doing actions (calling programms, etc.). So nothing fancy here. Maybe we should start our own Sophos XG CLI mod on Github xD
Thanks for the feedback. This is already addressed and will be closed on the GA release.
BTW: Sophos offers a Bug Bounty Hunter program. https://bugcrowd.com/sophos
If you are interesting in reporting security related issues.