set

Details of the system components that are configurable via the set command.

Use the set command to define settings and parameters for various system components.

For example after typing set press tab to view list of configurable components. These options and their parameters are described below.

advanced-firewall

The advanced-firewall option allows configuration of various firewall related parameters and settings such as the traffic to be inspected, protocol timeout values and traffic fragmentation. The full list of parameters available for configuration is shown in the table below.

Syntax

Description

bypass-stateful-firewall-config [add] [del] [ dest_host] [dest_network] [source_host] [source_network]

Add a host or network where the outbound and return traffic does not always traverse through Sophos XG Firewall.

You can add or delete either single hosts or entire networks.

icmp-error-message [allow] [deny]

Allow or deny ICMP error packets describing problems such as network/host/port unreachable, destination network/host unknown.

strict-icmp-tracking [on] [off]

Allow or drop ICMP reply packets. Setting this option On drops all ICMP reply packets.

tcp-appropriate-byte-count [on] [off]

Controls Appropriate Byte Count (ABC) settings. ABC is a way of increasing congestion window (cwnd) more slowly in response to partial acknowledgments. for more information see RFC3465

tcp-selective-acknowledgement [on] [off]

tcp-selective-acknowledgement Off: Disables selective acknowledgment. Using selective acknowledgments, the data receiver can inform the sender about all segments that have arrived successfully, so the sender need retransmit only the segments that have actually been lost.

tcp-window-scaling [on] [off]

tcp-window-scaling Off: Disables window scaling. The TCP window scaling increase the TCP receiving window size above its maximum value of 65,535 bytes. For more information see RFC1232

fragmented-traffic [allow] [deny]

Allow or deny fragmented traffic. IP Fragmentation is the process of breaking down an IP datagram into smaller packets before transmitting and reassembling them at the receiving end. For more information see RFC4459 Section 3.1

ipv6-unknown-extension-header [allow] [deny]

Allow or drop IPv6 packets with unknown extension headers.

strict-policy [on] [off]

When strict policy is applied, the device drops specific traffic and IP based attacks against the firewall. By default, strict policy is always on. When strict policy is off, strict firewall policy is disabled.

tcp-est-idle-timeout [2700-432000]

Sets the idle timeout value in seconds for established TCP connections. Available values are 2700-432000.

tcp-seq-checking [on] [off]

Every TCP packet contains a Sequence Number (SYN) and an Acknowledgment Number (ACK). Sophos XG Firewall monitors SYN and ACK numbers within a certain window to ensure that the packet is indeed part of the session. However, certain application and third party vendors use non-RFC methods to verify a packet's validity or for some other reason a server may send packets with invalid sequence numbers and expect an acknowledgment. For this reason, XG Firewall offers the ability to disable this feature.

udp-timeout [30-3600]

Set the timeout value in seconds for UDP connections that have not yet been established. Available values are 30-3600.

ftpbounce-prevention [control] [data]

Prevent FTP bounce attacks on FTP control and data connections. Traffic is considered as an FTP bounce attack when an attacker sends a PORT command with a third party IP address to an FTP server instead of its own IP address.

midstream-connection-pickup [on] [off]

Configure midstream connection pickup settings. Enabling midstream pickup of TCP connections will help while plugging in the Sophos XG Firewall as a bridge in a live network without any loss of service. It can also be used for handling network behavior due to peculiar network design and configuration. E.g. atypical routing configurations leading to ICMP redirect messages. By default, XG Firewall is configured to drop all untracked (mid-stream session) TCP connections in both deployment modes.

sys-traffic-nat [add] delete] [destination] [interface] [netmask] [snatip]

Administrators can NAT the traffic generated by the firewall so that the IP Addresses of its interfaces are not exposed or to change the NAT'd IP for traffic going to a set destination. for more information please see KB 122999

tcp-frto [on] [off]

Enable or disable forward RTO-Recovery (F-RTO). F-RTO is an enhanced recovery algorithm for TCP retransmission timeouts and it is particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is sender-side only modification. Therefore it does not require any support from the peer.

tcp-timestamp [on] [off]

Enable or disable tcp timestamps. Timestamp is a TCP option used to calculate the round trip measurement in a better way than the retransmission timeout method.

udp-timeout-stream [30-3600]

Set up UDP timeout value in seconds for established UDP connections. Available values are from 30-3600.

arp-flux

ARP flux occurs when multiple ethernet adapters, often on a single machine, respond to an ARP query. Due to this, problem with the link layer address to IP address mapping can occur. Sophos XG Firewall may respond to ARP requests from both Ethernet interfaces. On the machine creating the ARP request, these multiple answers can cause confusion. ARP flux affects only when Sophos XG Firewall has multiple physical connections to the same medium or broadcast domain.

Syntax

Description

on

Sophos XG Firewall may respond to ARP requests from both ethernet interfaces when Sophos XG Firewall has multiple physical connections to the same medium or broadcast domain.

off

Sophos XG Firewall responds to ARP requests from respective ethernet interfaces when Sophos XG Firewall has multiple physical connections to the same medium or broadcast domain.

fqdn-host

Sophos XG Firewall supports FQDN Hosts that define an entry by the Fully Qualified Domain Name which resolve to the IP address as found by DNS requests. This allows for dynamically assigned IP addresses to be used as host definitions, there is limit of 16,000 for the number of hosts that can be created. This can also be configured from the GUI, for further information about GUI configuration see KB 123035

Syntax

Description

cache-ttl [60-86400] [ dns-reply-ttl]

Set cache-ttl value for FQDN Host. The cache-ttl value represents the time in seconds after which the cached FQDN host to IP address binding will be updated.

Range: 1 – 86400 seconds

Default: 3600 seconds

dns-reply-ttl: use the ttl value in DNS reply packet as cache-ttl

eviction [enable] [ disable] [interval] [ 60-86400]

Duration in seconds after which IP addresses for subdomains of wildcard FQDNs are evicted. The available range is 60-86400.

idle-timeout [60-86400] [default]

The idle-timeout value represents the time in seconds after which the cached FQDN host to IP address binding is removed.

Range: 60 – 86400 seconds

Default: 3600 seconds

learn-subdomains [enable] [disable]

Learn the IP address of subdomains for FQDN using wildcard. Enable if you want to know ip address of subdomains of local traffic and that is passing through XG Firewall, that is, traffic that is not destined for or originated by the XG Firewall.

http_proxy

Sets various parameters for the HTTP proxy, these are described in the tble below.

Syntax

Description

add_via_header [on] [off]

Either add or remove the via header to traffic that passes through the proxy. The via header is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request/response chain.

captive_portal_tlsv1_0 [on] [off]

Allow or deny connections using TLSv1 to the captive portal. TLSv1 has been superseded and is no longer considered secure, therefore this should only be enabled if required for a certain business need.

captive_portal_x_frame_options [on] [off]

Enable or disable the addition of the x frame options header for captive portal traffic. The x-frame-options (XFO), is an HTTP response header, also referred to as an HTTP security header, which has been around since 2008. In 2013 it was officially published as RFC 7034, but is not an internet standard. This header tells the browser how to behave when handling a site’s content. The main reason for its inception was to provide clickjacking protection by not allowing rendering of a page in a frame. for further information please see RFC 7034

client_timeout [1-2147483647] [default]

Sets the timeout in seconds for clients with established connections via the proxy. The available values are 1-2147483647, default is 60.

connect_timeout [1-2147483647] [default]

Sets the timeout value in seconds for connections attempting to be made via the proxy. Available values are 1-2147483647, default is 60.

core_dump [on] [off]

Determines whether a coredump file will be created in the event the proxy encounters an error and crashes. Coredump files can help with troubleshooting issues and will be useful to support in the event that issues are encountered.

proxy_tlsv1_0 [on] [off]

Allow or deny connections using TLSv1 through the proxy. TLSv1 is a deprecated encryption protocol that has been superseded by TLSv1.3. Therefore care should be taken when allowing TLSv1 connections.

relay_invalid_http_traffic [on] [off]

Determines whether non HTTP traffic sent over HTTP ports should be relayed or dropped by the proxy. Some applications will send traffic over ports normally used by HTTP, 80 and 443, in these instances the proxy may not be able to handle the traffic which can cause issues. If this is the case then it is often advisable to bypass the proxy all together for this traffic.

response_timeout [1-2147483647] [default]

Sets the timeout in seconds that the proxy will wait for a response to be received for a new connection before that connection is terminated. Available values are 1-2147483647, default is 60.

tunnel_timeout [1-2147483647] [default]

Sets the timeout value in seconds that the proxy will wait for a response whilst trying to set up an HTTPS connection. Available values are 1-2147483647, default is 300.

disable_tls_url_categories [on] [off]

Allows you to turn on or turn off category lookup for SSL/TLS Inspection Rules. If disable_tls_url_categories is on, traffic isn't categorized.

This affects which SSL/TLS inspection rule will be chosen. For SSL/TLS inspection rules it will only match those with ANY specified for Categories and websites and nothing else. For example, if there is no SSL/TLS rule with value ANY for Categories and websites, no rule will be matched if disable_tls_url_categories is on, the default behavior applies.

These settings also affect any web policy applied to the traffic. The traffic will be uncategorized when a web policy is applied to it during the TLS handshake. The disable_tls_url_categories setting does not affect categorization of URLs for HTTP or decrypted HTTPS traffic as the full packet contents can be seen in these scenarios.

ips

Allows configuration of settings for the Intrusion Prevention System, IPS. The configurable parameters are described below. IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the device are not editable.

Syntax

Description

enable_appsignatures [on] [off]

Turns app based signatures on or off for IPS. App signatures determine the application that is using a specific data stream to help determine if traffic is malicious or should be allowed. By default app based signatures are enabled.

failclose [apply] [off] [on] [timeout] [tcp] [udp] [1-43200]

Determines if a connection should be closed in the event of a failure and the timeout in seconds for both tcp and udp connections that pass through IPS. The available timeout values for both UDP and TCP traffic are 1-43200.

http_response_scan_limit [0-262144]

Sets the scan limit for HTTP response packets. Available values are 0-262144, for full scanning this should be set to 0.

inspect [all-content] [untrusted-content]

Specifies IPS inspection for all or untrusted content.

untrusted-content: Inspects untrusted content only. Doesn't inspect content trusted by Sophos Labs. Provides best performance.

all-content: Inspects all content. Provides best security.

Default: Inspects untrusted content only.

ips-instance [apply] [clear] [add] [IPS] [cpu] [0-1]

Creates a new IPS cpu instances, clears the IPS instance or applies a new IPS configuration.

ips_mmap [on] [off]

Enabling mmap optimizes RAM usage, especially in low-end devices. By default mmap is on.

lowmem-settings [on] [off]

Enables or disables low memory settings for IPS. These settings will only be applied in the event that the appliance encounters memory issues.

maxpkts [numeric value above 8] [all] [default]

Sets the number of packets to be sent for application classification. By default this is set to 8 but can be changed to send all packets or any number of packets above 8.

maxsesbytes-settings [update] [ numeric value]

The maxsesbytes-settings allows you to set the maximum allowed file size to be scanned by IPS. Any file larger the configured size is bypassed and is not scanned. This value is applied per session.

packet-streaming [on] [off]

Determines whether packet streaming is to be allowed or not. Packet streaming is used to restrict the streaming of packets in situations where the system is experiencing memory issues.

If stream is set to on, which is the default setting, the IPS engine builds an internal table during a session and deletes them at the end of each session. It also reassembles all incoming packets and checks the data for any known signatures.

If stream is set to off, then protocols such as Telnet, POP3, SMTP, and HTTP are vulnerable as reassembly of packets or segments can no longer occur. Data is sometimes broken up into chunks of packets and must be reassembled to check for signatures, these protocols are now vulnerable to malicious files that are hidden by splitting.

search-method [ac-bnfa] [ac-q] [hyperscan]

Set the search method to be used for IPS signature pattern matching.

ac-bnfa (low memory usage, high performance)

ac-q (high memory usage, best performance)

hyperscan (low memory usage, best-performance)

sip_ignore_call_channel [enable] [disable]

Set whether the audio and video data channels should be ignored. Enable this option to ignore such channels.

Enabled by default.

sip_preproc [enable] [disable]

Set whether SIP preprocessor should be enabled or not. Enabling this will scan all the SIP sessions to prevent any network attacks.

ips_conf

Allows the administartor to add, delete or edit an existing IPS configuration entry.

Syntax

Description

add [key] [text] [value] [text]

Add a new IPS configuration.

del [key] [text] [value] [text]

Delete and existing IPS configuration.

update [key] [text] [value] [text]

Update and exiting IPS configuration.

lanbypass

In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there is a power failure or hardware malfunction. When enabled, traffic is bypassed for all modules - onboard and external modules. When power is restored, XG Firewall automatically resumes normal functionality. For example, in XG750, if 7 modules (14 LAN bypass pairs) are connected, bypass is enabled for all 14 pairs.

Syntax

Description

off

Turns Lan bypass off. This is the default setting.

on

Turns Lan bypass on.

network

Allows you to configure various network parameters including routes, interface speeds, MTU, MAC address and ports.

Syntax

Description

interface-speed [PortID] [speed] [1000fd] [100fd] [100hd] [10fd] [10hd] [auto]

Allows to configure the interface speed. Values are given in Mbps and either full or half duplex. Auto allows the interface to automatically negotiate speed with the connected neighbor device.

macaddr [PortID] [default] [override] [string value]

Allows you to set the MAC address of the interface. Default will keep the existing MAC, if using the override parameter then you will need to define the required MAC address string manually.

mtu-mss [PortID] [mtu ] [number value] [default] [mss] [number value] [default]

Allows you to define the required MTU and MSS for interfaces. Default values are, MTU 1500 and MSS 1460.

on-box-reports

Allows you to determine if reports are generated on Sophos XG Firewall or not.

Syntax

Description

on

Turn on box reports on.

off

Turns on box reports off.

port-affinity

Configures port affinity settings. Administrators can manually assign/unassign a CPU Core to a specific interface. Once configured, all the network traffic for that interfaces is handled by the assigned CPU Cores.

Note CPU cores can only be assigned to interfaces that have already been configured.

Port-affinity is not supported with legacy network adaptors, for example, when a virtual appliance is deployed in Microsoft Hyper-V.

Syntax

Description

add [port] [PortID] [bind-with] [start-with] [cpu] [cpu number]

Allows you to add port affinity settings to the desired interface.

defsetup

Applies the default port affinity configuration.

del [port] [PortID]

Deletes current port affinity settings for the selected port.

fwonlysetup

This is the legacy default port affinity setup and only handles plain firewall traffic which doesn't include any proxy or IPS traffic.

proxy-arp

Allows to define how the proxy will respond to arp requests.

Syntax

Description

add [interface] [PortID] [dest_ip] [ dst_iprange]

Applies proxy arp settings to the defined interface.

del [interface] [PortID] [dest_ip] [ dst_iprange]

Deletes proxy arp settings from the defined interface

report-disk-usage

Sets a watermark in percentage for the report disk usage. The watermark represents the percentage up to which data can be written to the report disk.

Syntax

Description

watermark [default] [numerical value]

Sets the watermark level, allowed values are from 60 to 85.

Default: 80.

routing

Allows configuration of routing parameters for multicast group limits,source base route for aliases and wan load balancing.

Syntax

Description

multicast-group-limit [numerical value]

Applies the multicast group limit.

source-base-route-for-alias [enable] [disable]

Applies or removes source based routes for alias addresses.

wan-load-balancing [session-persistant] [weighted-round-robin] [connection-based] [destination-only ] [source-and-destination] [source-only ] [ip-family ] [all] [ ipv4] [ipv6]

Configures WAN load balancing to balance traffic between multiple WAN interfaces.

Session persistence will send traffic for the same session over a specific interface. Weighted round robin will pass traffic over different interfaces depending on the load that each interface is experiencing.

When using session persistence to balance traffic this can be defined in four ways.

Connection based send all traffic related to the same connection over the same interface.

Destination only send all traffic to a specific source over the same interface.

Source and destination sends all traffic between the same source and destination over the same interface.

Source only sends all traffic from a specific source over the same interface.

Furthermore you can choose to balance just IPv4, IPv6 or all traffic.

service-param

By default XG Firewall inspects all HTTP, HTTPS, FTP, SMTP/S, POP and IMAP traffic on the standard ports. Use service-param to enable inspection of traffic sent over non-standard ports.

Syntax

Description

FTP [add] [delete] [port] [port number]

HTTP [add] [delete] [port] [port number]

IMAP [add] [delete] [port] [port number]

IM_MSN [add] [delete] [port] [port number]

IM_YAHOO [add] [delete] [port] [port number]

POP [add] [delete] [port] [port number]

HTTPS [add] [delete] [port] [port number] [deny_unknown_proto] [on] [off] [invalid-certificate] [allow] [block]

SMTP [add] [delete] [port] [port number] [failure_notification] [on] [off] [fast-isp-mode] [on] [off] [notification-port] [add] [port] [port number] [strict-protocol-check] [on] [off]

SMTPS [add] [delete] [port] [port number] [invalid-certificate] [allow] [block]

To allow inspection of traffic on non-standard ports for a specific protocol use the add port commands, this works for all services available within the service-param command list.

HTTPS, SMTP and SMTPS have further options available.

network

Allows you set various network parameters for interfaces such as speed, MAC address, MTU-MSS and LAG details.

Syntax

Description

interface-speed [Port] [speed] [speed value]

Available speed values are: 1000fd, 100fd, 100hd, 10fd, 10hd or auto. The fd and hd denote half or full duplex.

macaddr [Port] [default] [override] [string]

Allows to set the MAC address of an interface. Here string would be the new MAC address you want to use.

mtu-mss [Port] [default] [number]

Sets the MTU-MSS value foe the interface. Default is 1500.

lag-interface [interface_name] [lag-mgt] [active-backup] [auto] [Port] [lacp] [lacp-rate] [fast] [slow] [static-mode] [enable] [disable] [xmit-hash-policy] [layer2] [layer2+3] [layer3+4] [link-mgt] [down-delay] [value] [garp-count] [value] [monitor-interval] [value] [up-delay] [value]

Allows you to set various parameters for any configured lag interfaces. Where the variable is stated as value, the available values are shown below.

down-delay available values 0-10000 milliseconds

garp-count values 0-255

monitor-interface values 0-10000 milliseconds

up-delay values 0-10000 milliseconds

VPN

Allows you to set various parameters for VPN connections including failover settings, authentication settings and MTU.

Syntax

Description

conn-remove-on-failover [all] [non-tcp] [conn-remove-tunnel-up] [disable] [enable] [l2tp] [authentication] [ANY] [CHAP] [MS_CHAPv2] [PAP] [mtu] [number] [pptp] [authentication] [ANY] [CHAP] [MS_CHAPv2] [PAP]

Authentication parameters can be set for L2TP and PPTP vpns aswell as global failover and failback parameters for all traffic or just non tcp traffic. MTU can be set for L2TP, the available values are 576 – 1460, default is 1410.