Device console

This page describes the CLI console and the various commands available in the base console.

The device console is used to perform various checks on the system and to view logs files for troubleshooting.

When using the command line, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

Sophos XG Firewall has inbuilt help at the command prompt itself to help users with the syntax without the need to exit from the CLI.

To view the list of available commands go to Option 4 (Device Console) and press Tab. The following is displayed:

console>
clear               ping            telnet
disableremote       ping6           telnet6
dnslookup           set             traceroute
dnslookup6          show            traceroute6
drop-packet-capture system
enableremote        tcpdump
console>

Once you start typing a command you can press Tab again to view the list of arguments that are supported or required. Example: When you type ping and press Tab, you are presented with the list of parameters that are required or allowed as shown below:

console>ping
<ipaddress>    count       quiet       sourceip
<string>       interface   size        timeout
console>

Type the command and then press ? to view the list of arguments supported with descriptions. Example: when you type ping and press ?, all parameters are shown with descriptions.

console>ping
quiet          display the summary at startup and end
count          Stop after sending count packets
size           Number of data bytes to be sent
timeout        timeout 'in seconds' before ping exits
interface      Bind interface
sourceip       Bind source ipaddress
<ipaddress>    A.B.C.D (0 <= A,B,C,D < 256)
<string>       Alpha-Numeric TEXT with/without quotes

To return the main menu type exit.

Below you will find a list of CLI commands and descriptions of their functions.

set

Use set to configure various system parameters. For further information on the available parameters see set.

system

Use system to configure various settings. For further information on the available options see system.

clear

Clears the screen.

disableremote

Disables remote connectivity over SSH, if enabled. By default it is not enabled. The appliance will no longer listen on port 22 for new connections, and existing ones will be terminated. Refer to enableremote to allow remote SSH connections.

dnslookup

Query internet domain name servers to resolve hostnames.

Parameter list & description

Syntax

Description

Host ipaddress

Host url

Host to be searched.

Server ipaddress [host]

Internet name or address of the name server.

dnslookup6

Query internet domain name servers to resolve IPv6 hostnames.

Parameter list and description

Syntax

Description

Host ipaddress

Host url

Host to be searched.

Server ipaddress [host]

Internet name or address of the name server.

drop-packet-capture

Displays the packets dropped by firewall rules. It will provide connection details and details of the packets processed by the device. This will help administrators to troubleshoot firewall rules. You can also filter the dropped packets.

Syntax

Description

text

BPF (Berkeley Packet Filter) Compatible Packet Filter Expression.

interface port

Listen on this interface.

snaplen 20-68835

Number of bytes to capture.

How to check packets of the

Example

Specific host

host 10.10.10.1

Specific source host

src host 10.10.10.1

Specific destination host

dst host 10.10.10.1

Specific network

net 10.10.10.0

Specific source network

src net 10.10.10.0

Specific destination network

dst net 10.10.10.0

Specific port

port 20

Two specific ports

port 20 or port 21

Specific source port

src port 21

Specific destination port

dst port 21

Specific host for a specific port

host 10.10.10.1 and port 21

Specific host for all ports except SSH

host 10.10.10.1 and port not 22

Specific protocol

proto ICMP, proto UDP, proto TCP

enableremote

Allows remote SSH connections to Sophos XG Firewall. The appliance will listen for SSH connections on the specified port and will allow connections from the specified addresses.

Syntax

Description

port number

Ethernet port on the appliance through which a remote SSH can be established.

serverip ipaddress

Host IP address from which SSH connections to the appliance will be allowed.

ping

Sends ICMP ECHO_REQUEST packets to IPv4 network hosts and listens for the corresponding ECHO_REPLY.

Syntax

Description

ipaddress

IP Address to be pinged.

string

Domain to be pinged.

count number

Send a specific number of packets. Ping will stop after the count number is reached.

interface interfaceid

Set the interface on XG Firewall to send packets from.

quiet

Display a summary only at start and end of the ping sequence.

size number

Specifies the length, in bytes of the data field in the echo request messages sent. The default is 32. The maximum size is 65,527.

sourceip ipaddress

Specifies the source IP address packets will be sent from.

timeout number

Stop sending packets and exit from ping after specified time is reached.

ping6

Send ICMPv6 ECHO_REQUEST packets to IPv6 network hosts and listens for the corresponding ECHO_REPLY.

Syntax

Description

ipaddress6

IPv6 address to be pinged.

count number

Send a specific number of packets. Ping will stop after count number is reached.

interface interfaceid

Set the interface on XG Firewall to send packets from.

quiet

Display a summary only at start and end of the ping sequence.

size number

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

tcpdump

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

Syntax

Description

text

Packet filter expression. Based on the specified filter, packets are dumped. If no expression is given, all packets are dumped otherwise only packets for which the expression is `true' are dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. Refer to the below example table on writing filtering expressions.

count number

Exit tcpdump after receiving specified number of packets.

filedump

Tcpdump output can be generated based on criteria required. The output file can be found under /tmp.

hex

Print each packet (minus its link level header) in hexadecimal notation.

interface interfaceid

Specifies the interface to listen on.

llh

View packet contents with ethernet or other layer 2 header information.

no_time

Do not print a timestamp for each dump line.

quite

Print less protocol information so that output lines are shorter.

verbose

Verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

Below you will find some examples of how to use the tcpdump command to view different information.

Note Expressions can be combined using logical operators AND, OR and NOT. Make sure when using different combinations to encapsulate the full query within single quotes.

How to view traffic of

tcpdump command

Example

Specific host

tcpdump 'host <ipaddress>'

tcpdump 'host 10.10.10.1'

Specific network

tcpdump 'net <network address>'

tcpdump 'net 10.10.10.0'

Specific source network

tcpdump 'src net <network address>'

tcpdump 'src net 10.10.10.0'

Specific destination network

tcpdump 'dst net <network address>'

tcpdump 'dst net 10.10.10.0'

Specific port

tcpdump 'port <portnumber>'

tcpdump 'port 21'

Specific source port

tcpdump 'src port <port number>'

tcpdump 'src port 21'

Specific destination port

tcpdump 'dst port <port number>'

tcpdump 'dst port 21'

Specific host and specific port

tcpdump 'host <ipaddress> and port <port number>'

tcpdump 'host 10.10.10.1 and port 21'

Specific host and all ports except SSH

tcpdump 'host <ipaddress> and port not <port number>'

tcpdump 'host 10.10.10.1 and port not 22'

Specific protocol

tcpdump 'proto <protocol name>'

tcpdump 'proto ICMP'

tcpdump 'proto UDP'

Specific interface

tcpdump interface <interfaceid>

tcpdump interface port2

Specific port on a specific interface

tcpdump interface <interfaceid> 'port <port number >'

tcpdump interface port2 'port 21'

telnet

Use telnet to connect to another remote computer. Can be used to check if a system is accepting connections on a specific port. Telnet data is sent in clear text so for admin tasks it is advised to use SSH when possible.

Syntax

Description

ipaddress port number

FQDN, alias or IP address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

telnet6

Use telnet6 to connect via telnet to an IPv6 addressed system

Syntax

Description

ipv6address port number

FQDN, alias or IPv6 address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

traceroute

Traceroute tracks the route packets take from an IPv4 network on their way to a specific host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host.

Syntax

Description

<ipaddress>

Specifies the destination IP address to trace the route to.

<string>

Specifies the domain to trace the route to.

first-ttl

Sets the initial time to live used in the first outgoing packet.

icmp

Use ICMP ECHO instead of UDP datagrams.

max-ttl

Specifies the maximum time to live of packets.

no-frag

Sets the don't fragment bit in the sent packets.

probes

Probes are sent at each ttl. Default value is 3.

source

Sets the specified IP address as the source address of sent packets.

timeout

Sets the timeout in seconds for a response to a probe. Default is 5.

tos

For IPv4, set the Type of Service (TOS) and Precedence value. Useful values are 16 (low delay) and 8 (high throughput).

traceroute6

Traceroute tracks the route packets take from an IPv6 network on their way to a specific host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host.

Syntax

Description

<ipv6address>

Specifies the destination IPv6 address to trace the route to.

<string>

Specifies the domain to trace the route to.

first-ttl

Sets the initial time to live used in the first outgoing packet.

icmp

Use ICMP ECHO instead of UDP datagrams.

max-ttl

Specifies the maximum time to live of packets.

no-frag

Sets the don't fragment bit in the sent packets.

probes

Probes are sent at each ttl. Default value is 3.

source

Sets the specified IP address as the source address of sent packets.

timeout

Sets the timeout in seconds for a response to a probe. Default is 5.

tos

Sets the type of service. For IPv6, this is referred to as the Traffic Control value.

show

Displays configured parameters of the following firewall settings.

Syntax

Description

advanced-firewall

Displays the currently configured advanced firewall parameters. For a full explanation of parameters please refer to set

arp-flux

Shows if arp-flux is currently turned on or off.

country-host

ip2country ipaddress

list

Use the ip2address > ipaddress option to find the country that hosts a specific IP address. Use the list parameter to list the stored IP addresses and the country that hosts them.

fqdn-host

Displays the configured parameters for:
  • cache-ttl
  • idle-timeout
  • learn-subdomains
  • IP eviction

http_proxy

Displays to following configured parameters for the HTTP proxy.
  • add_via_header
  • core_dump
  • relay_invalid_http_traffic
  • connect_timeout
  • tunnel_timeout
  • client_timeout
  • response_timeout
  • proxy_tlsv_0
  • captive_portal_tlsv1_0
  • captive_portal_x_frame_options

ips-settings

Displays the currently configured IPS settings and running instances.

ip-signature

alert

disable

drop

Lists the IPS signatures, by numeric ID, currently configured.

Alert will show signatures configured to alert when triggered.

Disable will show the signatures currently disabled.

Drop will show the signatures currently configured to drop traffic when triggered.

ips_conf

Shows the current IPS configuration.

lanbypass

Shows the current lanbypass configuration. In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there is power failure or hardware malfunction.

nat-policy

application-server

failover

mail-notification

Displays the nat policy settings, enabled or disabled, for the protected application servers.

network

Displays various configured network parameters according to the filters used.

interface-speedinterfaceid

Shows the current network speed over the specified interface.

interfaces

Shows details of interfaces on the appliance including logical interfaces.

lag-interfaceinterfaceid

Shows details of the specified LAG interface.

macaddrinterfaceid

Displays the MAC address of the specified interface.

mtu-mssinterfaceid

Shows the current configured MTU of the specified interface, default MTU 1500 MSS 1460.

static-route

Displays all current IPv4 static routes.

static-route6

Displays all current IPv6 static routes.