Skip to content


The system command allows you to configure a range of system parameters.

Syntax description

set main-command option [arguments] {user defined input} <ranges>


Allows you to view airgap status and turn airgap functionality on and off.

Syntax Description
[enable] Use to enable airgap functionality.
[disable] Use to disable airgap functionality.
[show] Displays the current airgap configuration.


Allows you to override or bypass the configured device access settings and allow access to all the Sophos Firewall services.

Syntax Description
[disable] Disables appliance access. Disable is the default setting.
[enable] Enables appliance access.
[show] Displays the current appliance access status.


Once you turn on application classification, traffic is categorized based on the application and is shown on the web admin console. You can also turn on microapp discovery, which identifies and classifies microapps used within web browsers. If you turn application classification off, traffic categorization is based on port numbers.

Syntax Description
[off | on | show] microapp-discovery [off | on | show] If you turn application classification on, traffic is categorized based on application. Once application classification is turned on, you can turn on microapp discovery, which identifies and classifies microapps used within web browsers.

If you turn application classification off, traffic is classified based on port number.

Default: on


Sets authentication parameters for STAS, terminal services, thin client, and maximum live user settings.

Syntax Description
cta [add | delete] [IP-Address] {IP address} You can use CTA when you configure STAS authentication.
max-live-users [show | set] <8192-32768> For max live users, the available values are 8192 to 32768.

Use the show command to see the current values.

thin-client [add | delete | show] [citrix-ip] {IP Address} Thin client is used for authentication within a Citrix environment.


Auto reboot on hang determines how the system behaves if the kernel stops responding.

Syntax Description
[disable | enable | show] Default: enabled.


Allows setting of various parameters for bridged interfaces.

Syntax Description
bypass-firewall-policy [unknown-network-traffic] [allow | drop | show] [dynamic | static] Use the bypass-firewall-policy command to configure a policy for non-routable traffic for which no security policy is applied.
static-entry [add | delete | show] [interface] {interface ID} [bridge name] [Port] {PortID} [macaddr] {MAC Address} [priority] [dynamic | static] Use the static-entry command to configure static MAC addresses in bridge mode. The bridge forwarding table stores all the MAC addresses learned by the bridge and is used to determine where to forward packets.
max_bridge_members [reset | set] [limit] <2-256>[show] Use the max_bridge_members command to set the maximum number of interfaces allowed for a bridged interface. Available values are 2 to 256.


Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal using the WAN or VPN interfaces. The CAPTCHA is always active for the SPX portal and can't be turned off.

If you use this command to turn off the CAPTCHA, it overrides the VPN-specific setting. We recommend that you turn this setting on and only turn the CAPTCHA off for VPN users using the VPN-specific command, captcha_authentication_VPN.

Signing in from a LAN interface doesn't require a CAPTCHA.

Syntax Description
[disable | enable | show] for [webadminconsole | userportal] Default: Enabled


Allows you to turn on or turn off CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal. The CAPTCHA is always active for the SPX portal and can't be turned off.

Administrators signing in to the web admin console and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on Sophos Firewall and not on an external authentication server, such as an AD server.

XG 85 and XG 85w devices don't show the CAPTCHA.

Syntax Description
[disable | enable | show] for [webadminconsole | userportal] Default: Disabled

If you configured a site-to-site IPsec connection with the remote subnet set to Any, the CAPTCHA applies to all these tunnels. Add these to an IPsec route to ensure the CAPTCHA doesn't apply to specific remote hosts or networks. For <mytunnel>, select from the names of the original IPsec connections shown on the command-line interface.

Examples of commands to add a remote host or network are as follows:


Remote host: console> system ipsec_route add host tunnelname mytunnel

Remote network: console> system ipsec_route add net tunnelname mytunnel


Allows you to turn on or turn off the cellular WAN and view any Wi-Fi modem information if connected. The cellular WAN menu will be available in the web admin console once cellular WAN has been enabled from the CLI.

Syntax Description
[disable | enable] query [serialport] {serial port number} [ATcommand] {command string} set [disconnect-on-systemdown] [off | on] modem-setup-delay {numerical value} When using the modem-setup-delay command, the numerical value is the number of seconds that you wish to delay the modem coming online.

When using AT commands, all valid AT commands are accepted.


Allows you to add top users to generated PDF reports.

Syntax Description
[disable | enable | show] You can enable or disable this feature and show the current setting.


Sophos Firewall supports the configuration of DHCP options, as defined in RFC 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix A provides a list of DHCP options by RFC-assigned option number.

Syntax Description
conf-generation-method [new | old] [show] Use conf-generation-method to assign the method of generating configuration messages. Default: old.
dhcp-relay-refresh-interval [show | set] [seconds] <10-10000> Use dhcp-relay-refresh-interval to set the time in seconds for refresh packets to be sent. Available options, 10-1000. Default, 10
dhcp-options [add | delete | show] [optioncode] <1-65535> [optionname] [binding] [dhcpname] Use dhcp-options to assign properties from the DHCP server to the clients. Example: Set a DNS server address.
lease-over-IPSec [disable | enable | show] Use lease-over-IPSec to specific how DHCP leases are handled for IPsec connections. Default: disable.
one-lease-per-client [disable | enable | show] Default: disable
send-dhcp-nak [disable | enable | show] Default: enable
static-entry-scope [disable | enable | show] Default: network


Sophos Firewall supports the configuration of DHCPv6 options, as defined in RFC 3315. DHCPv6 options allow you to specify additional DHCPv6 parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCPv6 message. When the DHCPv6 message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix B provides a list of DHCPv6 options by RFC-assigned option number.

Syntax Description
dhcpv6-options [add | delete] [optioncode] <1-65535> [optionname] [list] [binding] [add | delete] [dhcpname] [show] Available values for optioncode are 1 to 65535.


Use this command to configure discover mode on one or more interfaces.

Syntax Description
tap [add | delete | show] [Port] Add and delete discover mode for the specified ports or show current ports that have discover mode configured.


Diagnostics allows you to view and set various system parameters for troubleshooting purposes.

Syntax Description
ctr-log-lines <250-10000> [traceroute | traceroute6] Sets the number of lines to show in the Consolidated Troubleshooting Report (CTR) log file. Available options are 250 to 10000. Default, 1000.
purge-old-log Use to purge all rotated log files
subsystems [Access-Server] [Bwm | CSC | IM | IPSEngine | LoggingDaemon | Msyncd | POPIMAPDaemon | Pktcapd | SMTPD | SSLVPN | SSLVPN-RPD | WebProxy | Wifiauthd] [debug | purge-logs | purge-oldlogs] When you use subsystems, configure each subsystem individually.
show [cpu | interrupts | syslog | version-info | ctr-log-lines | memory | sysmsg | disk | subsystem-info | uptime] Use diagnostics to view the current status of various systems such as CPU and memory usage.
show version-info Displays information about the current Sophos Firewall firmware version.
utilities [arp | bandwidthmonitor | connections | dnslookup | dnslookup6 | drop-packet-capture | netconf | netconf6 | ping | ping6 | process-monitor | route | route6 | traceroute | traceroute6] Utilities provides a number of systems to help with troubleshooting.


Use dos-config to configure denial of service (DoS) policies and rules. You can turn on flood protection for ICMP, TCP, UDP and IP packet types by configuring the maximum packets per second to be allowed per source, per destination, or globally. If the traffic exceeds the limit, the device considers it an attack.

DOS policy configuration:

Syntax Description
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src] The packets per second (PPS) value options are 1 to 10000 packets.

Using per-src: You can configure packets per second (PPS) allowed from a single source. If more packets come from a single source, Sophos Firewall drops the packets. The limit applies to individual source requests per user or IP address.

Using per-dest: You can configure packets per second (PPS) allowed to a single destination. The limit applies to individual destination requests per user or IP address.

Using global: Apply the limit on the entire network traffic regardless of source and destination requests.

With the per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users, then each user is allowed a packet rate of 2500 packets per second. If you select the global option, configure the limit as 2500 packets per second, and the network consists of 100 users, only 2500 packets per second are allowed for all traffic from all users.

DOS rule configuration:

Syntax Description
add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name] You can create a denial-of-service (DoS) rule to apply to all packet types or specific packet types within one command.

To delete a DoS rule or policy:

Syntax Description
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string] The string must be the name of your DoS rule or policy.

To flush or view DOS rules and policies, the following options are available:

Syntax Description
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string] The string must be the name of your DoS rule or policy.


The filesystem command enables you to enforce disk write permissions for the report partition.

Syntax Description
enforce-disk-write [partition-name] [report | enable | disable | show] Enable or disable disk write permissions or show the current status. Default: enabled.


Use firewall-acceleration to enable advanced data-path architecture, allowing faster processing of data packets for known traffic.

Syntax Description
[disable | enable | show] Enable or disable firewall acceleration or show the current configuration. Default: enabled.


Check the file system integrity of all the partitions. Turning this option on forcefully checks the file system integrity on the next device restart. This check is automatically turned on if the device goes into failsafe mode. The device can go into failsafe mode for the following reasons:

  • Unable to start config, report, or signature database.
  • Unable to apply migration.
  • Unable to find the deployment mode.
Syntax Description
[off | on | show] Turn integrity checking on or off for the next restart or show the current configuration. Default: off.


Using gre, you can configure, delete, set TTL and status for gre tunnels. You can also view route details like tunnel name, local gateway network and netmask, and remote gateway network and netmask.

Syntax Description
route [add | del | show] [ipaddress] [network/netmask] [tunnelname][local-gw] [WAN Address] [remote-gw] [remote WAN ipaddress] [local-ip] [ipaddress] [remote-ip] [ipaddress]

tunnel [add | del | show] [ALL | name] [tunnelname] [local-gw] [port] [remote-gw] [ipaddress/netmask] [local-ip] [ipaddress] [remote-ip] [ipaddress] [name] [local-gw] [Port] [remote-gw] [network/netmask]

When using route and adding or deleting a host IP address type the IP address. Example,

When you add or delete a network, type the network IP and subnet mask. Example,

For name, type the tunnel name.

When using tunnel to add or delete a new tunnel, tunnelname must be the name you want to give to the tunnel.


Allows configuration of certain HA parameters.

Syntax Description
auxiliary_system_traffic_through_dedicated_link [all] [none] [only_dynamic_interface] [show] load-balancing [on] [off] [show] Use auxiliary_system_traffic_through_dedicated_link to configure routing for system traffic sent by the auxiliary firewall. The default setting passes all traffic over the dedicated link.

Load balancing can be turned on or off. When turned on, traffic is balanced between the firewalls.

Show displays the current HA configuration


The hardware-acceleration command turns Intel quick assist technology (QAT) on or off. Intel QAT provides cryptography offload capabilities for IPsec data traffic for the following hashing algorithms:

  • AES
  • 3DES with MD5
  • SHA1
  • SHA256
  • SHA384
  • SHA512
Syntax Description
hardware-acceleration [on] Turns hardware acceleration on.
hardware-acceleration [off] Turns hardware acceleration off.
hardware-acceleration [show] Shows the hardware acceleration status.


Currently, hardware acceleration for IPsec VPN is only available on some XG Series devices. It accelerates and compresses cryptographic workloads and is available for IPsec VPN connections on XG 125 Rev.3, XG 135 Rev.3, and XG 750 appliance models.


Provides options for configuring IPsec routing.

Syntax Description
add [host] [ipaddress] [tunnelname] [string]

del [net] [ipaddress/netmask] [tunnelname] [ipaddress/netmask] [tunnelname] [string] [show]

Add or delete IPsec routes by host or network or show the current routes configured.


Syntax Description
Turn on or turn off kdump or show the current status of kdump.
kdump creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image that you can analyze to determine the cause of a crash.

You can configure a VPN as a backup link. Traffic is sent through the the VPN connection whenever the primary link fails.

Syntax Description
add [primarylink] [portname] [backuplink] [vpn] [gre] [tunnel] [tunnelname] [monitor PING host] [monitor TCP host] [ipaddress] [portnumber] You can configure failover to use a VPN or GRE tunnel. When you use TCP host monitoring, you'll need to specify the TCP port to monitor. If you use ping monitoring the monitoring port isn't required.


Restart Sophos Firewall.

Syntax Description
[all] Restarts Sophos Firewall. If you configure this in HA, it causes a failover.


Sets routing precedence. By default, the route lookup precedence is as follows:

  1. Static
  2. Policy
  3. VPN
Syntax Description
set [sdwan_policyroute] [static] [vpn] [show] When you set route precendence and you enter more than one option, the first option takes priority. Use show to display the current configuration.


Shut down Sophos Firewall. There are no further options to use with this command.


Allows you to change synchronized security behavior. You can specify whether to send the heartbeat to Sophos Central. At times, synchronized security may stop you from registering or deregistering Sophos Firewall with Sophos Central. To prevent this, you can clear the synchronized security configuration.

Syntax Description
delay-missing-heartbeat-detection set time Sets the time to wait before moving the endpoint to missing heartbeat status. Use this when there are frequent adapter changes (for example, when switching between Wi-Fi and LAN connections).

Range: 30 to 285, in multiples of 15.

Default: 60

suppress-missing-heartbeat-to-central set time Sets the time to wait before Sophos Firewall reports the missing heartbeat status to Sophos Central. We recommend using this option if endpoints are expected to frequently sleep, hibernate, shut down, or wake up.

Range: 0 to 120

Default: 0

central_registration deregister Clears the synchronized security configuration with Sophos Central.


Load or unload the following system modules;

  • dns
  • h323
  • irc
  • pptp
  • sip
  • tftp

By default, system modules are loaded.

Syntax Description
dns [load | unload] DNS: The DNS module learns the subdomains of non-local DNS traffic.
h323 [load | unload] H323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the internet.
pptp [load | unload] PPTP: Point to Point Tunneling Protocol is a network protocol that enables the secure transfer of data from a remote client to a private server, creating a point-to-point VPN tunnel using a TCP/IP-based network.
irc [load | unload] [port] [portname] [default] IRC: Internet Relay Chat is a multi-user, multi-channel chatting system based on a client-server model. A single server links with many other servers to make up an IRC network, which transports messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it's an open network, and performance is affected with no control over file sharing.
sip [load | unload] [portname] [default] SIP: Session Initiation Protocol is a signaling protocol which enables the controlling of media communications such as VoIP. The protocol is generally used to maintain unicast and multicast sessions of several media systems. SIP is a text-based and TCP / IP-supported application layer protocol.
tftp [load | unload] [portname] [default] [show] TFTP: Trivial File Transfer Protocol is a simple form of the file transfer protocol (FTP). TFTP uses the user datagram protocol (UDP) and provides no security features.


Manage the waiting period for detecting the readiness of the USB drive.

Use this option when using firewall provisioning or zero-touch configuration to set up the firewall.

Syntax Description
set [number] [show] Set the value in seconds that you wish to wait before USB devices are detected.

Available values are 1 to 15. The default is 3.


Set VLAN tags for VLAN traffic passing through Sophos Firewall.

Syntax Description
set [interface] [interfacename] [vlanid] [number]

reset [interface] [interfacename] [reset]

Use these commands to set and reset VLAN IDs for an interface or to show the current configuration.

Available VLAN IDs: 0 to 4094.


You can configure all VLAN tagging, including for bridge interfaces, from the web admin console. If you've previously configured VLAN tags for a bridge interface from the CLI, we recommend you delete the configuration and set the tags in the web admin console instead.


The wireless-controller settings let you configure parameters for attached access points, including troubleshooting features.

Syntax Description
ap_localdebuglevel [get] [set] [number]

global [ap_autoaccept] [value] [ap_debuglevel] [number] [log_level] [number] [radius_accounting_start_delay] [number] [show] [stay_online] [number] [store_bss_stats] [number] [tunnel_id_offset] [number]

Use the ap_localdebuglevel and ap_debuglevel commands to configure the debugging level the device will use when logging.

The level parameter must be between 0 (lowest) and 15 (highest).

You can view the current debug level using the get parameter.

The log_level parameter configures the logging level the device will use. When an event is logged, it's printed into the corresponding log if the message's log level is equal to or more than the configured log level. The level parameter must be between 0 (lowest) and 7 (highest).

The radius_accounting_start_delay parameter sets the delay to start the 802.1x accounting for the Wi-Fi client. You can set the delay depending on the DHCP response time. You can set a value from 0 to 60 seconds. This allows the Wi-Fi client to receive the IP address first and then start the accounting. The Wi-Fi SSO uses the framed IP address from the accounting start message and allows the user to sign in to Sophos Firewall.

Available values for ap_autoaccept, stay_online and store_bss_stats are, 0 (off) or 1 (on).

The tunnel_id_offset parameter value must be from 0 (lowest) to 65535 (highest).

remote_pktcap [disable | enable | show] [AP serial number] The remote_pktcap command captures packets on access points when a packet capture is running. To start packet capturing, the value of the ap_debuglevel parameter must be equal to or greater than 4.
set_channel_width [Wi-Fi interface name] [band] [Wi-Fi band] [channel_width] [number] You can choose Wi-Fi band 2.5GHz or 5GHz.

Available channel widths are 20 and 40 for 2.5GHz, and 20, 40, or 80 for 5GHz.