Restricted Advance Shell - examples of challenges

Hi Community contributors,

Starting Sophos Firewall v19, with the addition of many comprehensive logging enhancements in the GUI, and in-line with industry best-practices, access to the Advance Shell is restricted to licensed commercial versions of the product.

Partners and certified architect engineers have an option with Not-for-Resale license to set up labs or customer PoC with unrestricted advanced shell. Also, Sophos Support is able access the Advanced Shell via support access channel. Hence, in case of critical issues, support can still can access it.

Sophos Firewall has been incrementally improved since v18 with comprehensive logging enhancements in the GUI (Better search, filtering, configurations, SD-WAN logs, VPN logs, gateway logs etc). However, we acknowledge that Advance Shell restriction might have created challenges in certain database related configurations, especially for home users.

Please help us understand the specific examples of challenges you face due to this restriction - configurations where GUI and console tools are reaching the limits. We will suggest the possible workaround for the specific scenario. We will also plan and gradually improve the product for those scenario.


Sophos Firewall Product Team

  • Did anything change in v19 in this matter? With 18.5 i only see this:

  • I specifically run my own Exchange Server for my private mail domain. This is a good opportunity to test out new updates or configurations and to find problematic WAF rules. Sure, I can just migrate my 3 mailboxes to MS365, but for me WAF on home devices was always a good opportunity to test something out in a somewhat real environment without to disrupt any businesses. Additionally I publish a synology NAS through WAF to use their cloud and web functionalities.

  • Hi,

    please start a new thread covering your issue.

    Thank you


    Xeon 1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP

    XG115W - v18.5.2

    If a post solves your question please use the 'Verify Answer' button.

  • I have installed a Sophos XG at home, to get more experience and play with new versions. Now i have the update from 18 to 19 and my SSL VPN from my iphone is not coming up. How should i solve this without log on console? There is nothing in the GUI log. I only see incoming and outgoing connections in packet capture. Nothing on openVPN log.
    In our business installation we have to disable IPS explicit on some rules. Crazy enough, because in GUI not active, i can not test this on my home license.

  • Logging and getting access to mysql db. Logging, for example, VPN or certificate error details do not appear in the standard log viewer. All the logs plus tail + grep are very useful to do debugging; Access to mysql db. I had more than once needed access to DB to check that the firewall rule was correct; where the hosts and networks are used. Few times, I was not able to delete an object that UI was reporing, the object is still used. Using db commands, I was able to find the rule, which did not appear in the UI at all.

    I would say, logging 90%, accessing DB 10%.

    Do not say that logging can be performed using the poor log viewer available from UI, which is not.


  • Just curious, Do you not have a valid license as a Sophos Architect? 


  • Is this a transparent SMTP scan engine or a MTA? 


  • Do you see any related logs in the logviewer --> VPN? Because it should pick up traffic coming to the module. You could double check the packet capture and look for the port. 

    And you can do the same IPS disable in Console like on your business installation. Console is still open. Advanced Shell is closed. IPS Log should show the same blocks like logviewer. 


  • Are you a Sophos Partner or Customer? Just to understand the use case here. 


  • Never used transparent proxy mode so yeah, it's configured as MTA.