Skip to content


Details of the system components that are configurable via the set command.

Use the set command to define settings and parameters for various system components.

For example, after typing set, press tab to view the list of components you can configure. These options and their parameters are described below.

Syntax description

set main-command option [arguments] {user defined input} <ranges>

set advanced-firewall icmp-error-message allow

set advanced-firewall add dest_host


The advanced-firewall option allows you to configure various firewall-related parameters and settings such as the traffic inspection, protocol timeout values, and traffic fragmentation. The full list of parameters available for configuration is shown in the table below.

Syntax Description
bypass-stateful-firewall-config [add|del] [dest_host|dest_network] {IP address | network IP address / netmask} [source_host|source_network] { IP address | network IP address / netmask} Add a host or network where the outbound and return traffic does not always pass through Sophos Firewall.

You can add or delete either single hosts or entire networks.

icmp-error-message [allow|deny] Allow or deny ICMP error packets describing problems such as network, host or port unreachable, and destination network or host unknown.
strict-icmp-tracking [on|off] Allow or drop ICMP reply packets. Setting this option On drops all ICMP reply packets.
tcp-appropriate-byte-count [on|off] Controls Appropriate Byte Count (ABC) settings. ABC is a way of increasing the congestion window (cwnd) more slowly in response to partial acknowledgments. See RFC3465
tcp-selective-acknowledgement [on|off]

With TCP selective acknowledgement (SACK), the firewall allows the receiver to inform the sender about the specific segments it receives. The sender can then retransmit only the lost and out-of-order segments rather than the entire TCP window, ensuring efficient retransmission.

It minimizes unnecessary retransmissions, reduces latency, and enhances the throughput, ensuring more reliable data transmission.

tcp-window-scaling [on|off]

With window scaling, the firewall extends the TCP window size beyond the traditional 16-bit limit (64 KB) supporting high-bandwidth networks. By increasing the window size, it ensures larger data transfers in a single TCP connection, enhancing the throughput and reducing latency.

It optimizes flow control by dynamically adjusting the window size based on network capacity, avoiding congestion, and optimizing data transmission. See RFC1232.

fragmented-traffic [allow|deny] Allow or deny fragmented traffic. IP Fragmentation is the process of breaking down an IP datagram into smaller packets before transmitting and reassembling them at the receiving end. See RFC4459 section 3.1
ipv6-unknown-extension-header [allow|deny] Allow or drop IPv6 packets with unknown extension headers.
strict-policy [on|off] When strict policy is applied, the device drops specific traffic and IP-based attacks against the firewall. By default, strict policy is always on. When strict policy is off, strict firewall policy is disabled.
tcp-est-idle-timeout <2700-432000> Sets the idle timeout value in seconds for established TCP connections. Available values are 2700-432000.
tcp-seq-checking [on|off] Every TCP packet contains a Sequence Number (SYN) and an Acknowledgment Number (ACK). Sophos Firewall monitors SYN and ACK numbers within a certain window to ensure that the packet is part of the session. However, certain applications and third-party vendors use non-RFC methods to verify a packet's validity or for some other reason, so a server may send packets with invalid sequence numbers and expect an acknowledgment. For this reason, Sophos Firewall offers the ability to turn off this feature.
udp-timeout <30-3600> Set the timeout value in seconds for UDP connections that haven't yet been established. Available values are 30 to 3600.
udp-timeout-stream <30-3600> Set the timeout value in seconds for UDP stream connections. Available values are 30 to 3600. A UDP stream is established when two clients send UDP traffic to each other on a specific port and between network segments. Example: LAN to WAN.
ftpbounce-prevention [control|data] Prevent FTP bounce attacks on FTP control and data connections. Traffic is considered an FTP bounce attack when an attacker sends a PORT command with a third-party IP address to an FTP server instead of its own IP address.
midstream-connection-pickup [on|off] Configure midstream connection pickup settings. Enabling midstream pickup of TCP connections will help while plugging in the Sophos Firewall as a bridge in a live network without any loss of service. You can also use it for handling network behavior due to peculiar network design and configuration. For example, atypical routing configurations leading to ICMP redirect messages. Sophos Firewall is default configured to drop all untracked (mid-stream session) TCP connections in both deployment modes.
sys-traffic-nat [add|delete] [destination] {desttination IP adress} [interface] {interface} [netmask] {netmask} [snatip] {snat IP address} Administrators can NAT the traffic generated by the firewall so that the IP Addresses of its interfaces aren't exposed or to change the NAT'd IP for traffic going to a set destination. See Sophos Firewall: NAT the generated traffic.
tcp-frto [on|off] Turn on or off forward RTO-Recovery (F-RTO). F-RTO is an enhanced recovery algorithm for TCP retransmission time-outs. It's particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is a sender-side only modification. Therefore it does not require any support from the peer.
tcp-timestamp [on|off] Turn on or off TCP timestamps. Timestamp is a TCP option used to calculate the round trip measurement in a better way than the forward RTO-recovery method.
udp-timeout-stream <30-3600> Set up UDP timeout value in seconds for established UDP connections. Available values are from 30 to 3600.


ARP flux occurs when multiple ethernet adapters, often on a single device, respond to an ARP query. Due to this, a problem with the link-layer address to IP address mapping can occur. Sophos Firewall may respond to ARP requests from both Ethernet interfaces. On the device creating the ARP request, these multiple answers can cause confusion. ARP flux only takes effect when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.

Syntax Description
on Sophos Firewall may respond to ARP requests from both ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.
off Sophos Firewall responds to ARP requests from respective ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.


TTL (time-to-live) determines how long it takes for a DNS record change to take effect. The domain's DNS record is cached until the next lookup. Sophos Firewall performs DNS lookups at the default interval rather than the TTL value in the DNS record for domains that resolve to localhost.

Change the interval at which the DNS lookups for localhost take place. For example, you can specify a lower TTL value to ensure Sophos Firewall updates its record earlier when you change the DNS record entry from localhost to another host.

Syntax Description
localhost-ttl <60-655360> Interval (in seconds) at which DNS lookups for domains that resolve to localhost occur.

Range: 60 to 655360 seconds
Default: 655360 seconds


You can configure Fully Qualified Domain Name (FQDN) hosts. DNS servers resolve FQDN requests to IP addresses. You can create up to 16,000 FQDN hosts. You can also configure these on the web admin console. See knowledge base 123035

Syntax Description
cache-ttl <60-86400> [dns-reply-ttl] Set cache-ttl value for FQDN Host. The cache-ttl value represents the time in seconds after which the cached FQDN host to IP address binding will be updated.

Range: 1 to 86400 seconds

Default: 3600 seconds

dns-reply-ttl: use the ttl value in the DNS reply packet as cache-ttl

eviction [enable | disable] [interval] <60-86400> Duration in seconds after which IP addresses for subdomains of wildcard FQDNs are evicted. The available range is 60 to 86400.
idle-timeout <60-86400> [default] The idle-timeout value represents the time in seconds after which the cached FQDN host to IP address binding is removed.

Range: 60 to 86400 seconds

Default: 3600 seconds

learn-subdomains [enable | disable] Learn the IP address of subdomains for FQDN using a wildcard. Turn it on if you want to know the IP address of subdomains of local traffic that passes through Sophos Firewall and that isn't destined for or originated by Sophos Firewall.


Sets various parameters for the HTTP proxy. These are described in the table below.

Syntax Description
add_via_header [on | off] Either add or remove the via header for traffic that passes through the proxy. The via header is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request and response chain.
captive_portal_tlsv1_0 [on | off] Allow or deny connections using TLSv1 to the captive portal. TLSv1 is no longer considered secure. This must only be turned on if you require it for a certain business need.
captive_portal_x_frame_options [on | off] Turn the x-frame-options header on or off for captive portal traffic The x-frame-options (XFO) is an HTTP response header, also referred to as an HTTP security header, has existed since 2008. In 2013 it was officially published as RFC 7034 but isn't an internet standard. This header tells the browser how to behave when handling a site’s content. The main reason for its introduction was to provide clickjacking protection by not allowing the rendering of a page in a frame. See RFC 7034
client_timeout <1-2147483647> [default] Sets the timeout in seconds for clients with established connections via the proxy. The available values are 1 to 2147483647. Default is 60.
connect_timeout <1-2147483647> [default] Sets the timeout value in seconds for connections attempting to be made via the proxy. Available values are 1 to 2147483647. Default is 60.
core_dump [on | off] Determines whether a coredump file will be created if the proxy encounters an error and crashes. Coredump files can help troubleshoot issues.
proxy_tlsv1_0 [on | off] Allow or deny connections using TLS 1.0 through the proxy. TLS 1.0 is a deprecated encryption protocol that TLS 1.3 has superseded. We don't recommend you use TLS 1.0 connections.
relay_invalid_http_traffic [on | off] Determines whether non-HTTP traffic sent over HTTP ports is relayed or dropped by the proxy. Some applications will send traffic over ports normally used by HTTP (80 and 443). In these instances, the proxy may not be able to handle the traffic, which can cause issues. If this is the case, we advise you bypass bypassing the proxy for this traffic.
response_timeout <1-2147483647> [default] Sets the timeout in seconds that the proxy waits for a response from a new connection before the connection is terminated. Available values are 1 to 2147483647. Default is 60.
tunnel_timeout <1-2147483647> [default] Sets the timeout value in seconds that the proxy waits for a response while trying to set up an HTTPS connection. Available values are 1 to 2147483647. Default is 300.
disable_tls_url_categories [on | off] Allows you to turn on or turn off category lookup for SSL/TLS Inspection Rules. If disable_tls_url_categories is on, traffic isn't categorized.

This affects which SSL/TLS inspection rule is chosen. For SSL/TLS inspection rules, it'll only match those with ANY specified for Categories and websites and nothing else. For example, if there's no SSL/TLS rule with value ANY for Categories and websites, no rule will be matched if disable_tls_url_categories is on. The default behavior applies.

These settings also affect any web policy applied to the traffic. The traffic is uncategorized when a web policy is applied during the TLS handshake. The disable_tls_url_categories setting does not affect the categorization of URLs for HTTP or decrypted HTTPS traffic, as the full packet contents are seen in these scenarios.


Allows configuration of the Intrusion Prevention System (IPS). IPS consists of a signature engine (snort) with a predefined set of signatures. Signatures are patterns that are known to be harmful. IPS compares traffic to these signatures and responds at high speed if it finds a match. You can't edit signatures included within the device. The parameters that you can configure are described below.

Syntax Description
enable_appsignatures [on | off] Turns app-based signatures on or off for IPS. App signatures enable the firewall to identify malicious applications based on matching traffic patterns. The option is turned on by default.
failclose [apply] [off | on] [timeout] [tcp | udp] <1-43200> Determines if a connection should be closed in the event of a failure, and the timeout in seconds for both tcp and udp connections that pass through IPS. The available timeout values for UDP and TCP traffic are 1 to 43200.
http_response_scan_limit <0-262144> Sets the scan limit for HTTP response packets. Available values are 0 to 262144. For full scanning, you must set this to 0.
inspect [all-content | untrusted-content] Specifies IPS inspection for all or untrusted content.

untrusted-content: Inspects untrusted content only. Doesn't inspect content trusted by SophosLabs. Provides the best performance.

all-content: Inspects all content. Provides the best security.

Default: Inspects untrusted content only. This is secure enough for most users.

ips-instance [apply | clear | add] [IPS] [cpu] <0-1> Creates a new IPS CPU instance, clears the IPS instance or applies a new IPS configuration.
ips_mmap [on | off] Enabling mmap optimizes RAM usage, especially in low-end devices. By default, mmap is on.
lowmem-settings [on | off] Enables or disables low memory settings for IPS. These settings are only applied when the appliance encounters memory issues.
maxpkts [numeric value more than 8 | all | default] Sets the number of packets to be sent for application classification. By default, maxpkts is set to 8. You can change it to send all packets or any number of packets greater than 8.
maxsesbytes-settings [update] [numeric value] The maxsesbytes-settings allow you to set the maximum allowed file size to be scanned by IPS. Any file larger than the configured size is bypassed and isn't scanned. This value is applied per session.
packet-streaming [on | off] Determines whether packet streaming is to be allowed or not. Packet streaming is used to restrict the streaming of packets in situations where the system is experiencing memory issues.

If packet-streaming is set to on, which is the default setting, the IPS engine builds an internal table during a session and deletes it at the end. It also reassembles all incoming packets and checks the data for known signatures.

If packet-streaming is set to off, then protocols such as Telnet, POP3, SMTP, and HTTP are vulnerable as reassembly of packets or segments can no longer occur. Data is sometimes broken up into chunks of packets and must be reassembled to check for signatures. These protocols are now vulnerable to malicious files that are hidden by splitting.

search-method [ac-bnfa | ac-q | hyperscan] Set the search method for IPS signature pattern matching.

ac-bnfa: low memory usage, high performance.

ac-q: high memory usage, best performance.

hyperscan: low memory usage, best-performance.

sip_ignore_call_channel [enable | disable] Set whether the audio and video data channels should be ignored. Enable this option to ignore such channels.

Enabled by default.

sip_preproc [enable | disable] Set whether the SIP preprocessor should be enabled or not. If you enable this, it scans all the SIP sessions to prevent any network attacks.


When you use advanced shell CLI commands, such as ps, or top, you may see the overall memory consumption for snort as much more than is reported in /proc/meminfo or under Diagnostics in the web admin console. This is because ps and top show the overall reserved memory, not the memory currently in use. This applies when firewall acceleration is turned on because it uses memory reservation on all XGS versions.


Allows the administrator to add, delete or edit an existing IPS configuration entry.

Syntax Description
add [key] [text] [value] [text] Add a new IPS configuration.
del [key] [text] [value] [text] Delete and existing IPS configuration.
update [key] [text] [value] [text] Update and exiting IPS configuration.


In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there's a power failure or hardware malfunction. When turned on, traffic is bypassed for all modules. When power is restored, Sophos Firewall automatically resumes normal functionality. For example, in XG 750, if seven modules (fourteen LAN bypass pairs) are connected, lanbypass is turned on for all fourteen pairs.

Syntax Description
off Turns lanbypass off. This is the default setting.
on Turns lanbypass on.


You can configure various network parameters, including routes, interface speeds, MTU, MAC address, and ports.

Syntax Description
interface-speed [PortID] [speed] [1000fd | 100fd | 100hd | 10fd | 10hd | auto] Allows you to configure the interface speed. The values are in Mbps and are either full or half duplex. Auto allows the interface to automatically negotiate speed with the connected neighbor device.
macaddr [PortID] [default | override] [string value] Allows you to set the MAC address of the interface. Default will keep the existing MAC. When using the override parameter, you'll need to define the required MAC address string manually.
mtu-mss [PortID] [mtu | mss] [number value | default] Allows you to define the required MTU and MSS for interfaces. Default values are MTU 1500 and MSS 1460.


Allows you to determine if reports are generated on Sophos Firewall or not.

Syntax Description
on Turn on box reports on.
off Turns on box reports off.


You can configure port affinity. Administrators can manually assign or unassign a CPU core to a specific interface. Once you configure this, the assigned CPU cores handle all the network traffic for that interface.


You can only assign CPU cores to interfaces that have already been configured.

Port-affinity isn't supported with legacy network adapters, for example, when a virtual appliance is deployed in Microsoft Hyper-V.


You don't need to configure port-affinity settings on XGS Firewall devices. Traffic is load-balanced and distributed across CPU cores for these devices automatically.

Syntax Description
add [port] {PortID} [bind-with | start-with] [cpu] [cpu number] Allows you to add port affinity settings to the desired interface.
defsetup Applies the default port affinity configuration.
del [port] {PortID} Deletes current port affinity settings for the selected port.
fwonlysetup This is the legacy default port affinity setup and only handles plain firewall traffic, which doesn't include any proxy or IPS traffic.


Allows you to define how the proxy responds to arp requests.

Syntax Description
add [interface] {PortID} [dest_ip | dst_iprange] {destination IP | destination IP range} Applies proxy arp settings to the defined interface.
del [interface] {PortID} [dest_ip | dst_iprange] {destination IP | destination IP range} Deletes proxy arp settings from the defined interface


Sets a watermark in percentage for the report disk usage. The watermark represents the percentage of data that can be written to the report disk.

Syntax Description
watermark [default | <60-85>] Sets the watermark level. Allowed values are from 60 to 85.

Default: 80.


Allows configuration of routing parameters for multicast group limits, source base route for aliases, and WAN load balancing.

Syntax Description
multicast-group-limit <number> Applies the multicast group limit. Default is 250.
sd-wan-policy-route [system-generate-traffic] [reply-packet] [enable | disable] Turn policy routes on or off for system-generated traffic and reply packets. Make sure you turn routing on for each of them independently. Policies are configured in the web admin console.
source-base-route-for-alias [enable | disable] Applies or removes source-based routes for alias addresses. You must turn this option on when you have multiple WAN interfaces and want to use alias addresses for IPSec connections.
wan-load-balancing [session-persistence | weighted-round-robin] [connection-based | destination-only | source-and-destination | source-only] [ip-family] [all | ipv4 | ipv6] Configures WAN load balancing to balance traffic between multiple WAN interfaces.

Session persistence sends traffic for the same session over a specific interface. Weighted round robin passes traffic over different interfaces depending on the load that each interface experiences.

You can define these four ways when using session persistence to balance traffic.

Connection-based sends all traffic related to the same connection over the same interface.

Destination-only send all traffic to a specific source over the same interface.

Source-and-destination based sends all traffic between the same source and destination over the same interface.

Source-only sends all traffic from a specific source over the same interface.

Furthermore, you can choose to balance just IPv4, IPv6, or all traffic.


Sophos Firewall inspects all HTTP, HTTPS, FTP, SMTP/S, POP, and IMAP traffic on the standard ports by default. Use service-param to enable inspection of traffic sent over non-standard ports.

Syntax Description
FTP [add | delete] [port] {portID}

HTTP [add | delete] [port] {portID}

IMAP [add | delete] [port] {portID}

IM_MSN [add | delete] [port] {portID}

IM_YAHOO [add | delete] [port] [port number]

POP [add | delete] [port] {portID}

HTTPS [add | delete] [port] {portID} [deny_unknown_proto] [on | off] [invalid-certificate] [allow | block]

SMTP [add | delete] [port] {portID} [failure_notification] [on | off] [fast-isp-mode] [on | off] [notification-port] [add] [port] {portID} [strict-protocol-check] [on | off]

SMTPS [add | delete] [port] {portID} [invalid-certificate] [allow | block]

To allow inspection of traffic on non-standard ports for a specific protocol use the add port commands. This works for all services available within the service-param command list.

There are more options available for HTTPS, SMTP, and SMTPS.


You can set various network parameters for interfaces such as speed, MAC address, MTU-MSS, and LAG details.

Syntax Description
interface-speed [Port] {portID} [speed] [ 1000fd | 100fd | 100hd | 10fd | 10hd | auto] Available speed values are: 1000fd, 100fd, 100hd, 10fd, 10hd or auto. The fd and hd denote half or full duplex.
macaddr [Port] {portID} [default | override] {string} Allows you to set the MAC address of an interface. Here the string would be the new MAC address you want to use.
mtu-mss [Port] {portID} [default | number] Sets the MTU-MSS value for the interface. Default is 1500.
lag-interface [interface_name] [lag-mgt] [active-backup] [auto] [Port] {portID} [lacp] [lacp-rate] [fast | slow] [static-mode] [enable | disable] [xmit-hash-policy] [layer2] [layer2+3] [layer3+4] [link-mgt] [down-delay] <0-10000> [garp-count] <0-255> [monitor-interval] <0-10000> [up-delay] <0-10000> Allows you to set various parameters for any configured lag interfaces.

The down-delay available values are 0 to 10000 milliseconds

The garp-count values are 0 to 255

The monitor-interface values are 0 to 10000 milliseconds

The up-delay values are 0 to 10000 milliseconds


Allows you to set various parameters for VPN connections, including failover settings, authentication settings, and MTU.

Syntax Description
conn-remove-on-failover [all | non-tcp] [conn-remove-tunnel-up] [enable | disable] [l2tp | pptp] [authentication] [ANY | CHAP | MS_CHAPv2 | PAP] [mtu] <576-1460> Authentication parameters can be set for L2TP and PPTP VPNs, in addition to global failover and failback parameters for all traffic or non TCP traffic. MTU can be set for L2TP. The available values are 576 to 1460. Default is 1410.