Hi Community contributors,
Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.
Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.
Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.
Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.
Sophos Firewall Product Team
Well said. Lucar does not understand! Sorry, Lucar, but sometimes you seem to be a robot. I left the community in 2020 and your behaviour is the same "copy and paste". Sophos is going good for intercept…
So industry best practices apply to unsupported home users? Fully licensed admin can bork their appliance and support will fix it and industry best practices seem moot?
Here are my use cases that I use shell for all the time.
1.Run top, just to check whats happening on my machine including hung daemons etc which can happen with any software.
2. Run iftop to get a quick snapshot of whats happening on my network.
3. Change different kernel parameters like swappiness and change my IO scheduler to noop since I run under esxi.
4. Look at logs since its much easier to grep them in the shell.
5. People have mentioned WAF but luckily UTM is not EOL yet.
There maybe other reasons but other than industry best practices, can you guys give a solid reason for restricting home license only. Unless theft of software is a big issue and you guys can't fix it by using better methods. This one is a total head scratcher.
Just to talk about those points:
top vs the present "GUI" system graphs. What do you missing? I assuming the processes? "Hung Daemons" is a theoretical case, but likely software will restart the system, if a process is in a invalid state. So just to be sure: Did this ever occur to you in the past with SFOS?
iftop vs GUI: What about the live connection window. It can also show you filters etc. What is the advantage of using iftop vs the present GUI option? Just we collect more information.
Your Kernel Parameters seems something, which is actually missing now. But could be controlled theoretically via vmware tools, which are on the appliance itself. Sophos can take this feedback.
System graphs are a snapshot of system. Lets say your memory is sitting at 100 percent, how do you know what is causing this? I am not arguing against what is provided in the gui. I am stating what I use the cli for.
Live connections window is the same way. You really can't compare a gui window that refreshes every few seconds to the instant snapshot of iftop
This is my genuine feedback. If you guys make change to license and take cli away, please mention in release notes and be done with it. Most home users probably would never miss it. Otherwise I am just an end user, I have many choices and if I don't like what you provide, nobody is forcing me to use the software. I have appreciated astaro and now sophos continued commitment to provide fully functioning software to home users at no cost. If that commitment has changed for any reason, sophos doesn't need to justify it to me or anyone else.
Agree with Billybob on `iftop`. I hadn't thought of using Live Connections, so I've been trying them. Three issues: 1) Five seconds is a long time, 2) not as easy to stop refreshing when you want to look at something that just popped up that's odd, and 3) it's not clear what the Kbps time period is and not clear that it means Kbps and not KBps. The `iftop` command is snappy, you can freeze it immediately, and it gives you rates over multiple time periods so you can watch for more of an instantaneous and more of a continuous average at the same time.
Fast refresh in a GUI is probably a mistake, since it's pulling horsepower from the actual firewall job. So maybe allowing access via the CLI would be a good compromise?
As an example, I'm looking for an a machine that's streaming a multi-Mbps video stream. Using Live Connections sorted by download and viewing by IP, the machine bounces in and out of the top. Evidently there's some interaction of sorts between the 5 second refresh, what period of time Sophos is actually calculating over, and perhaps bursty streaming (as streaming programs overfill buffers and throttle themselves, I guess), it's frustrating to see the streamer in the top. Multiple refreshes can show apparently no download.