Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 170 replies
  • Subscribers 33 subscribers
  • Views 34321 views
  • Users 0 members are here
Options
Suggested

Restricted Advance Shell - examples of challenges

PMParth

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.

Sincerely,

Sophos Firewall Product Team

Parents
  • 0

    Hello!

    Thank you for the detailed answer, looking from Sophos perspective it makes sense to disable shell access for licenses they can't fully control; As Home Licenses can be easily obtained without any challenges or verifications. But it's still a bit of an "extreme" decision to take. (From a home user perspective)

    One of the biggest issues of not having access to advanced shell anymore is WAF Logging, which is still poor even now on v19 EAP 1.

    An example, after the WAF rejects a request based on the protection's options, the logging inside the WebUI doesn't show the minimal necessary information to debug on why the request has been blocked - such as rule id which is necessary if you want to disable a certain filter, or more information over the pattern that WAF matched - and what protection category has been trigged, such as "Protocol Enforcement" or "XSS Attacks".

    Anyways, thanks for the official answer!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    The logviewer is way to slow, during troubleshooting I definitly need the console ability.
    Expressed other way around - I see NO reason to deactiviate it.
    Thats independant of licensed / not licensed !
    Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
    I can't understand the reason behind thinking aout disabling that feature...
    Please don't forget the knowledge that technicians get, when they are fiddling around with their home XGs. Imho it would be very unwise and a big step back to cancel that ability.

    Grüße

    Olaf Pelzer

Reply
  • 0 in reply to Prism

    The logviewer is way to slow, during troubleshooting I definitly need the console ability.
    Expressed other way around - I see NO reason to deactiviate it.
    Thats independant of licensed / not licensed !
    Our technicians are using the home-license for their home and family, like it's planned and for troutbleshooting the cli is needed - definitly.
    I can't understand the reason behind thinking aout disabling that feature...
    Please don't forget the knowledge that technicians get, when they are fiddling around with their home XGs. Imho it would be very unwise and a big step back to cancel that ability.

    Grüße

    Olaf Pelzer

Children
No Data
Unfiltered HTML