Hi,
Is it possible to upload a home license from the CLI?
For family members, I built and admin a few Sophos UTM boxes (custom hardware, home licenses) - like, my parents and sister. I usually have IPSec tunnels up. I missed a license expiration for my parents, and unfortunately my parents are actually at my sister's...and wondering why they can't access certain things at home (IPsec tunnels usually link us all - they were saying "x" is down, but X is up...the tunnel is down!).
I walked them through getting a new home license...but they can't install it unless they go home, right? Can I install it via CLI (I have SSH access). The Webadmin is not exposed to the internet, only the LAN and other networks via IPSec tunnels (which are down). Is the only thing I can do is wait until someone is on the LAN (I don't have a way to remotely access that network other than the UTM!).
What happens if I reboot the UTM; will it switch to a trial license? I just need the site to site VPN to come up, and then I can access the webadmin!
Thanks for your help!
One of the things I always include in Allowed Networks is "BAlfson(User Network)" so that I can connect via remote access from anywhere to access WebAdmin at the IP of the UTM's VPN server - https://10…
I was researching some more...maybe I can do this (except make webadmin exposed to the WAN interface)? Web admin no longer accessible - Management, Networking, Logging and Reporting - UTM Firewall - Sophos Community
If you can access WebAdmin, you can upload the license file. I've never known a way to install a license via CLI, but I am not all that great with the CLI for Sophos anyways. ;)
If you had a SUM up and running to manage your UTMs, you could have done it that way.
UTM - 9.711 | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
One of the things I always include in Allowed Networks is "BAlfson(User Network)" so that I can connect via remote access from anywhere to access WebAdmin at the IP of the UTM's VPN server - https://10.242.12.1:4444/ for the SSL VPN. You can add this at the command line with:
cc set webadmin allowed_networks 'REF_NetAaaBalfsUserNetwo'
Just substitute the first 5 letters of your username for mine. First letter must be upper case in the REF_ like 'REF_NetAaaGarpaUserNetwo' for user garpace.
I know a command to upload the license at the command line, but I've never tried it even in my lab.
Cheers - Bob
garpace said:(I have SSH access). The Webadmin is not exposed to the internet, only the LAN and other networks via IPSec tunnels (which are down)
One thing that comes to mind is using a ssl port forwarding (aka tunnel) like
ssh -L 4444:127.0.0.1:4444 user@remote
So you can throw https://localhost:4444 into your browser on the local machine which will be forwarded to port 4444 on the UTM box.
Depending on your configuration and firewall settings you might need to replace 127.0.0.1 with the internal (LAN) IP of the UTM,
Thanks Bob. I didn't have the SSL VPN set up (just sites to site), but I was able to add "Any" temporarily to webadmin allowed_networks, pop in, upload the license file, bring back the site to sites, and get rid of "any". Thank for all your guidance on this and other posts.