Skip to content


The system command allows configuration of a range of system parameters.

The components and their parameters configurable via system are described in the sections below:


Allows you to view airgap status and turn airgap functionality on and off.

Syntax Description
[enable] Use to enable airgap functionality.
[disable] Use to disable airgap functionality.
[show] Displays the current airgap configuration.


Allows you to override or bypass the configured device access settings and allow access to all the Sophos Firewall services.

Syntax Description
[disable] Disables appliance access. Disable is the default setting.
[enable] Enables appliance access.
[show] Displays the current appliance access status.


Once application classification is enabled, traffic is categorized on the basis of application, and is displayed on the Admin Console. Once application classification is enabled, you can enable microapp discovery, which identifies and classifies microapps used within web browsers. If application classification is disabled, traffic categorization is based on port numbers.

Syntax Description
[off] [on] [show] microapp-discovery [off] [on] [show] If application classification is enabled, traffic is categorized on the basis of application. Once application classification is enabled, you can enable microapp discovery, which identifies and classifies microapps used within web browsers.

If application classification is disabled then traffic is classified based on port number.

Default: on


Sets authentication parameters for use with STAS, terminal services, thin client, and maximum live user settings.

Syntax Description
cta [add] [delete] [IP-Address] CTA is used in the configuration of STAS authentication.

When entering commands where IP-Address is specified you need to type the IP address.
max-live-users [set] [numerical value] [show] For max live users the available values are 8192-32768.

Using the command show will display the currently configured values.
thin-client [add] [delete] [citrix-ip] [IP-Address] [show] Thin client is used for authentication within a Citrix environment.


Auto reboot on hang determines how the system behaves if the kernel goes into a hung state.

Syntax Description
[disable] [enable] [show] Default: enabled.


Allows setting of various parameters for bridged interfaces.

Syntax Description
bypass-firewall-policy [unknown-network-traffic] [allow] [drop] [show] [dynamic] [static] Use the bypass-firewall-policy command to configure a policy for non-routable traffic for which no security policy is applied.
static-entry [add] [delete] [show] [interface] [bridge name] [Port] [macaddr] [MAC Address] [priority] [dynamic] [static] Use the static-entry command for configuring static MAC addresses in bridge mode. The bridge forwarding table stores all the MAC addresses learned by the bridge and is used to determine where to forward packets.
max_bridge_members [reset] [set] [limit] [numerical value] [show] Use the max_bridge_members command to set the maximum number of interfaces allowed for a bridged interface. Available values are, 2-256.


Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal using the WAN or VPN interfaces. The CAPTCHA is always active for the SPX portal and can't be turned off.

If you use this command to disable the CAPTCHA, it will override the VPN-specific setting. We recommend having this setting enabled, and only disabling the CAPTCHA for VPN users using the VPN specific command, captcha_authentication_VPN.

Signing in from a LAN interface doesn't require a CAPTCHA.

Syntax Description
[disable] [enable] [show] for [webadminconsole] [userportal] Default: Enabled


Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal. The CAPTCHA is always active for the SPX portal and can't be turned off.

Administrators signing in to the web admin console, and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on Sophos Firewall and not on an external authentication server, such as an AD server.

The CAPTCHA isn't shown on XG 85 and XG 85w devices.

Syntax Description
[disable] [enable] [show] for [webadminconsole] [userportal] Default: Disabled

If you configured a site-to-site IPsec connection with remote subnet set to Any, the CAPTCHA applies to all these tunnels. To make sure the CAPTCHA doesn't apply to specific remote hosts or networks, add these to an IPsec route. For <mytunnel>, select from the names of the original IPsec connections shown on the command-line interface.

Examples of commands to add a remote host or network are as follows:

Remote host: console> system ipsec_route add host <> tunnelname <mytunnel>

Remote network: console> system ipsec_route add net <> tunnelname <mytunnel>


Allows you to enable or disable the cellular WAN and view any Wi-Fi modem information if connected. The cellular WAN menu will be available in web admin console once cellular WAN has been enabled from CLI.

Syntax Description
[disable] [enable] query [serialport] [serial port number] [ATcommand] [command string] set [disconnect-on-systemdown] [off] [on] modem-setup-delay [numerical value] When using the modem-setup-delay command, the numerical value is the number of seconds that you wish to delay the modem coming online.

When using AT commands all valid AT commands are accepted.


Allows you to add top users to generated PDF reports.

Syntax Description
[disable] [enable] [show] You can enable or disable this feature and show the current setting.


Sophos Firewall supports configuration of DHCP options, as defined in RFC 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix A provides a list of DHCP options by RFC-assigned option number.

Syntax Description
conf-generation-method [new] [old] \[show\] Use conf-generation-method to assign the method of generating configuration messages. Default: old.
dhcp-relay-refresh-interval [set] [seconds] [numerical value] [show] Use dhcp-relay-refresh-interval to set the time in seconds for refresh packets to be sent. Available options, 10-1000. Default, 10
dhcp-options [add] [optioncode] [numerical value] [delete] [optionname] [binding] [add] [delete] [dhcpname] [show] Use dhcp-options to assign properties from the DHCP server to the clients. Example: Set a DNS server address.
lease-over-IPSec [disable] [enable] [show] Use lease-over-IPSec to specific how DHCP leases should be handled for IPsec connections. Default: disable.
one-lease-per-client [disable] [enable] [show] Default: disable
send-dhcp-nak [disable] [enable] [show] Default: enable
static-entry-scope [disable] [enable] [show] Default: network


Sophos Firewall supports configuration of DHCPv6 options, as defined in RFC 3315. DHCPv6 options allow you to specify additional DHCPv6 parameters in the form of pre-defined, vendor-specific information that is stored in the options field of a DHCPv6 message. When the DHCPv6 message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix B provides a list of DHCPv6 options by RFC-assigned option number.

Syntax Description
dhcpv6-options [add] [optioncode] [numerical value] [delete] [optionname] [list] [binding] [add] [delete] [dhcpname] [show] Available values for optioncode: 1-65535.


Use this command to configure discover mode on one or more interfaces.

Syntax Description
tap [add] [delete] [Port] [show] Add and delete discover mode for the specified ports or show current ports that have discover mode configured.


Diagnostics allows you to view and set various system parameters for troubleshooting purposes.

Syntax Description
ctr-log-lines [numerical value] [traceroute] [traceroute6] Set number of lines to display in Consolidated Troubleshooting Report (CTR) log file. ctr-log-lines available options 250-10000. Default, 1000.
purge-old-log Use purge-old-log to purge all rotated log files
subsystems [Access-Server] [Bwm] [CSC] [IM] [IPSEngine] [LoggingDaemon] [Msyncd] [POPIMAPDaemon] [Pktcapd] [SMTPD] [SSLVPN] [SSLVPN-RPD] [WebProxy] [Wifiauthd] When using subsystems: Configure each subsystem individually. Configuration options include: debug, purge-logs and purge-oldlogs
show [cpu] [interrupts] [syslog] [version-info] [ctr-log-lines] [memory] [sysmsg] [disk] [subsystem-info] [uptime] Use diagnostics to view the current status of various systems such as cpu and memory usage.
show version-info Displays information about the current Sophos Firewall firmware version.
utilities [arp] [bandwidthmonitor] [connections] [dnslookup] [dnslookup6] [drop-packet-capture] [netconf] [netconf6] [ping] [ping6] [process-monitor] [route] [route6] [traceroute] [traceroute6] Utilities provides a number of systems to help with troubleshooting.


Use dos-config to configure denial of service (DoS) policies and rules. You can enable flood protection for ICMP/TCP/UDP/IP packet types by configuring the maximum packets per second to be allowed per source, destination or globally. If the traffic exceeds the limit then the device considers it an attack.

DOS policy configuration:

Syntax Description
add [dos-policy] [policy_name] [string] [ICMP-Flood] [IP-Flood] [SYN-Flood] [UDP-Flood] [numerical value] [pps] [global] [per-dst] [per-src] Value options 1-10000 packets per second.

Using per-src: Configures packets per second (pps) allowed from a single source, above which the device will drop the packets. The limit is applicable to individual source requests per user/IP address.

Using per-dest: Configures packets per second (pps) allowed to a single destination. The limit is applicable to individual destination requests per user/IP address.

Using global: Apply the limit on the entire network traffic regardless of source/destination requests.

With per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users then each user is allowed a packet rate of 2500 packets per second. With global option selected, if limit configured is 2500 packets/second and the network consists of 100 users then only 2500 packets/second are allowed to the entire traffic coming from all the users.

DOS rule configuration:

Syntax Description
add [dos-rule] [rule_name] [rule_name] [srcip] [ipaddress] [dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp] [ip] [tcp] [udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ] [LAN] [WAN] [VPN] [WiFi] [custom zone] [dos-policy] [policy name] You can create a DOS rule to apply to all packet types or specific packet types within one command.

To delete a DOS rule or policy:

Syntax Description
delete [dos-policy] [dos-rule] [dos-policy] [rule-name] [policy-name] [string] When specifying the string this should be the name of your dos rule or policy.

To flush or view DOS rules and policies the following options are available:

Syntax Description
flush [dos-rules] show [dos-rules] [dos-policies] [rule-name] [policy-name] [string] When specifying a string this should be your policy or rule name.


The filesystem command enables you to enforce disk write permissions for the report partition.

Syntax Description
enforce-disk-write [partition-name] [report] [enable] [disable] [show] Enable or disable disk write permissions or show the current status. Default: enabled.


Use firewall-acceleration to enable the uses advanced data-path architecture allowing faster processing of data packets for known traffic.

Syntax Description
[disable] [enable] [show] Enable or disable firewall acceleration or show the current configuration. Default: enabled.


Check file system integrity of all the partitions. Turning this option on forcefully checks the file system integrity on next device restart. If the device goes into failsafe mode then this check is automatically turned on. The device can go into failsafe mode for the following reasons;

  • Unable to start config, report or signature database.
  • Unable to apply migration.
  • Unable to find the deployment mode.
Syntax Description
[off] [on] [show] Turn integrity checking on or off for the next restart or show the current configuration. Default: off.


Using gre you can configure, delete, set TTL and status for gre tunnels. You can also view route details like tunnel name, local gateway network and netmask and remote gateway network and netmask.

Syntax Description
route [add] [del] [ipaddress] [network/netmask] [tunnelname\][local-gw] [WAN Address] [remote-gw] [remote WAN ipaddress] [local-ip] [ipaddress] [remote-ip] [ipaddress] [show]

tunnel [add] [name] [tunnelname] [local-gw] [port] [remote-gw] [ipaddress/netmask] [local-ip] [ipaddress] [remote-ip] [ipaddress] [del] [ALL] [name] [local-gw] [Port] [remote-gw] [network/netmask]
When usinf route and adding or deleting a host ipaddress type the IP address. Example,

When adding or deleting a network type both the network and subnet mask. Example,

For name, type the tunnel name.

When using tunnel to add or delete a new tunnel, tunnelname should be the name you want to give to the tunnel.


Allows configuration of certain HA parameters.

Syntax Description
auxiliary_system_traffic_through_dedicated_link [all] [none] [only_dynamic_interface] [show] load-balancing [on] [off] [show] Use auxiliary_system_traffic_through_dedicated_link to configure routing for system traffic sent by the auxillary. Default: pass all traffic over the dedicated link

Load balancing can be turned on or off and will balance traffic between the appliances.

Show will display the current HA configuration.


The hardware-acceleration command turns Intel quick assist technology (QAT) on or off. Intel QAT provides cryptography offload capabilities for IPsec data traffic, for the following hashing algorithms:

  • AES
  • 3DES with MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512
Syntax Description
hardware-acceleration [on] Turns hardware acceleration on.
hardware-acceleration [off] Turns hardware acceleration off.
hardware-acceleration [show] Shows the hardware acceleration status.


Currently, hardware acceleration for IPsec VPN is only available on some XG Series devices. It accelerates and compresses cryptographic workloads and is available for IPsec VPN connections on XG 125 Rev.3, XG 135 Rev.3, and XG 750 appliance models.


Provides options for configuring IPsec routing.

Syntax Description
add [host] [ipaddress] [tunnelname] [string]

del [net] [ipaddress/netmask] [tunnelname] [ipaddress/netmask] [tunnelname] [string] [show]
Add or delete IPsec routes by host or network or show the current routes configured.


Syntax Description
Turn on or turn off kdump or show the current status of kdump.
kdump creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image that you can analyze to determine the cause of a crash.

You can configure a vpn as a backup link. When configured, whenever the primary link fails, traffic will be sent through the vpn connection.

Syntax Description
add [primarylink] [portname] [backuplink] [vpn] [gre] [tunnel] [tunnelname] [monitor PING host] [monitor TCP host] [ipaddress] [portnumber] Failover can be configured to use a vpn or gre tunnel. When using TCP host monitoring you will also need to specify the TCP port to be monitored. The monitoring port is not required if using ping monitoring..


Restart Sophos Firewall.

Syntax Description
[all] Restarts Sophos Firewall. If configured in HA this will cause a failover.


Sets routing precedence. By default route lookup precedence is;

  1. Static
  2. Policy
  3. VPN
Syntax Description
set [sdwan_policyroute] [static] [vpn] [show] When setting route precedence the first choice take highest priority when entering more than one option. Use show to display the current configuration.


Shut down Sophos Firewall. There are no further options to use with this command.


Allows you to modify synchronized security behavior. You can specify whether to send the heartbeat to Sophos Central. At times, synchronized security may stop you from registering of deregistering Sophos Firewall with Sophos Central. To prevent this, you can clear the synchronized security configuration.

Syntax Description
delay-missing-heartbeat-detection set time Sets the time to wait before moving the endpoint to missing heartbeat status. Use this when there are frequent adapter changes (for example, when switching between Wi-Fi and LAN connections).

Range: 30 to 285, in multiples of 15.

Default: 60
suppress-missing-heartbeat-to-central set time Sets the time to wait before Sophos Firewall reports the missing heartbeat status to Sophos Central. We recommend using this option if endpoints are expected to frequently sleep, hibernate, shut down, or wake up.

Range: 0 to 120

Default: 0
central_registration deregister Clears the synchronized security configuration with Sophos Central.


Load or unload the following system modules;

  • dns
  • h323
  • irc
  • pptp
  • sip
  • tftp

By default system modules are loaded.

Syntax Description
dns [load] [unload] DNS: The dns module learns the subdomains of non-local DNS traffic.
h323 [load] [unload] H323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the internet.
pptp [load] [unload] PPTP: Point to Point Tunneling Protocol is a network protocol that enables secure transfer of data from a remote client to a private server, creating a point to point VPN tunnel using a TCP/IP based network.
irc [load] [unload] [port] [portname] [default] IRC: Internet Relay Chat is a multi-user, multi-channel chatting system based on a client-server model. A single server links with many other servers to make up an IRC network, which transports messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it is an open network and with no control on file sharing, performance is affected.
sip [load] [unload] [portname] [default] SIP: Session Initiation Protocol is a signaling protocol which enables the controlling of media communications such as VoIP. The protocol is generally used for maintaining unicast and multicast sessions consisting of several media systems. SIP is a text based and TCP/IP supported application layer protocol.
tftp [load] [unload] [portname] [default] [show] TFTP: Trivial File Transfer Protocol is a simple form of the file transfer protocol (FTP). TFTP uses the user datagram protocol (UDP) and provides no security features.


Manage the waiting period for detecting the readiness of the USB drive.

Use this option when you're using firewall provisioning or zero touch configuration to set up the firewall.

Syntax Description
set [number] [show] Set the value in seconds that you wish to wait before USB devices are detected.

Available values are: 1-15. The default is 3.


Set VLAN tags for VLAN traffic passing through Sophos Firewall.

Syntax Description
set [interface] [interfacename] [vlanid] [number]

reset [interface] [interfacename] [reset]
Use these commands to set and reset VLAN IDs for an interface or to show the current configuration.

Available VLAN IDs: 0-4094.


You can configure all VLAN tagging, including for bridge interfaces, from the web admin console. If you have previously configured VLAN tags for a bridge interface from the CLI, we recommend you delete the configuration and set the tags in the web admin console instead.


The wireless-controller settings let you configure parameters for attached access points including enabling troubleshooting features.

Syntax Description
ap_localdebuglevel [get] [set] [number]

global [ap_autoaccept] [value] [ap_debuglevel] [number] [log_level] [number] [radius_accounting_start_delay] [number] [show] [stay_online] [number] [store_bss_stats] [number] [tunnel_id_offset] [number]
Use the ap_localdebuglevel and ap_debuglevel commands to configure the debugging level the device will use when logging.

The level parameter must be from 0 (lowest) to 15 (highest).

You can view the current debug level using the get parameter.

The log_level parameter configures the logging level the device will use. When an event is logged, it is printed into the corresponding log if the log level of the message is equal or higher than the configured log level. The level parameter must be from 0 (lowest) to 7 (highest).

The radius_accounting_start_delay parameter sets the delay to start the 802.1x accounting for the Wi-Fi client. You can set the delay depending on the DHCP response time. You can set a value from 0 to 60 seconds. This allows the Wi-Fi client to receive the IP address first and then start the accounting. The Wi-Fi SSO uses the framed IP address from the accounting start message and allows the user to sign in to Sophos Firewall.

Available values for ap_autoaccept, stay_online and store_bss_stats are, 0 (off) or 1 (on).

The tunnel_id_offset parameter value must be from 0 (lowest) to 65535 (highest).
remote_pktcap [disable] [enable] [show] [AP serial number] The remote_pktcap command captures packets on access points when a packet capture is running. To start packet capturing, the value of the ap_debuglevel parameter must be equal to or greater than 4.
set_channel_width [Wi-Fi interface name] [band] [Wi-Fi band] [channel_width] [number] You can choose Wi-Fi band 2.5GHz or 5GHz.

Available channel widths are: 20 and 40 for 2.5GHz, and 20, 40, or 80 for 5GHz.
Back to top