Skip to content


Details of the system components that are configurable via the set command.

Use the set command to define settings and parameters for various system components.

For example after typing set press tab to view list of configurable components. These options and their parameters are described below.


The advanced-firewall option allows configuration of various firewall related parameters and settings such as the traffic to be inspected, protocol timeout values and traffic fragmentation. The full list of parameters available for configuration is shown in the table below.

Syntax Description
bypass-stateful-firewall-config [add] [del] [ dest_host] [dest_network] [source_host] [source_network] Add a host or network where the outbound and return traffic does not always traverse through Sophos Firewall.

You can add or delete either single hosts or entire networks.
icmp-error-message [allow] [deny] Allow or deny ICMP error packets describing problems such as network/host/port unreachable, destination network/host unknown.
strict-icmp-tracking [on] [off] Allow or drop ICMP reply packets. Setting this option On drops all ICMP reply packets.
tcp-appropriate-byte-count [on] [off] Controls Appropriate Byte Count (ABC) settings. ABC is a way of increasing congestion window (cwnd) more slowly in response to partial acknowledgments. for more information see RFC3465
tcp-selective-acknowledgement [on] [off] tcp-selective-acknowledgement Off: Disables selective acknowledgment. Using selective acknowledgments, the data receiver can inform the sender about all segments that have arrived successfully, so the sender need retransmit only the segments that have actually been lost.
tcp-window-scaling [on] [off] tcp-window-scaling Off: Disables window scaling. The TCP window scaling increase the TCP receiving window size above its maximum value of 65,535 bytes. For more information see RFC1232
fragmented-traffic [allow] [deny] Allow or deny fragmented traffic. IP Fragmentation is the process of breaking down an IP datagram into smaller packets before transmitting and reassembling them at the receiving end. For more information see RFC4459 Section 3.1
ipv6-unknown-extension-header [allow] [deny] Allow or drop IPv6 packets with unknown extension headers.
strict-policy [on] [off] When strict policy is applied, the device drops specific traffic and IP based attacks against the firewall. By default, strict policy is always on. When strict policy is off, strict firewall policy is disabled.
tcp-est-idle-timeout [2700-432000] Sets the idle timeout value in seconds for established TCP connections. Available values are 2700-432000.
tcp-seq-checking [on] [off] Every TCP packet contains a Sequence Number (SYN) and an Acknowledgment Number (ACK). Sophos Firewall monitors SYN and ACK numbers within a certain window to ensure that the packet is indeed part of the session. However, certain application and third party vendors use non-RFC methods to verify a packet's validity or for some other reason a server may send packets with invalid sequence numbers and expect an acknowledgment. For this reason, Sophos Firewall offers the ability to disable this feature.
udp-timeout [30-3600] Set the timeout value in seconds for UDP connections that have not yet been established. Available values are 30-3600.
udp-timeout-stream [30-3600] Set the timeout value in seconds for UDP stream connections. Available values are 30-3600. A UDP stream is established when two clients send UDP traffic to each other on a specific port and between network segments. Example: LAN to WAN.
ftpbounce-prevention [control] [data] Prevent FTP bounce attacks on FTP control and data connections. Traffic is considered as an FTP bounce attack when an attacker sends a PORT command with a third party IP address to an FTP server instead of its own IP address.
midstream-connection-pickup [on] [off] Configure midstream connection pickup settings. Enabling midstream pickup of TCP connections will help while plugging in the Sophos Firewall as a bridge in a live network without any loss of service. It can also be used for handling network behavior due to peculiar network design and configuration. E.g. atypical routing configurations leading to ICMP redirect messages. By default, Sophos Firewall is configured to drop all untracked (mid-stream session) TCP connections in both deployment modes.
sys-traffic-nat [add] delete] [destination] [interface] [netmask] [snatip] Administrators can NAT the traffic generated by the firewall so that the IP Addresses of its interfaces are not exposed or to change the NAT'd IP for traffic going to a set destination. for more information please see KB 122999
tcp-frto [on] [off] Enable or disable forward RTO-Recovery (F-RTO). F-RTO is an enhanced recovery algorithm for TCP retransmission timeouts and it is particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is sender-side only modification. Therefore it does not require any support from the peer.
tcp-timestamp [on] [off] Enable or disable tcp timestamps. Timestamp is a TCP option used to calculate the round trip measurement in a better way than the retransmission timeout method.
udp-timeout-stream [30-3600] Set up UDP timeout value in seconds for established UDP connections. Available values are from 30-3600.


ARP flux occurs when multiple ethernet adapters, often on a single machine, respond to an ARP query. Due to this, problem with the link layer address to IP address mapping can occur. Sophos Firewall may respond to ARP requests from both Ethernet interfaces. On the machine creating the ARP request, these multiple answers can cause confusion. ARP flux affects only when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.

Syntax Description
on Sophos Firewall may respond to ARP requests from both ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.
off Sophos Firewall responds to ARP requests from respective ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.


TTL (time-to-live) determines how long it takes for a DNS record change to take effect. The domain's DNS record is cached until the next lookup. For domains that resolve to localhost, Sophos Firewall performs DNS lookups at the default interval rather than the TTL value in the DNS record.

Change the interval at which the DNS lookups for localhost take place. For example, you can specify a lower TTL value to make sure Sophos Firewall updates its record earlier when you change the DNS record entry from localhost to another host.

Syntax Description
localhost-ttl [60-655360] Interval (in seconds) at which DNS lookups for domains that resolve to localhost take place.

Range: 60 to 655360 seconds
Default: 655360 seconds


Sophos Firewall supports FQDN Hosts that define an entry by the Fully Qualified Domain Name which resolve to the IP address as found by DNS requests. This allows for dynamically assigned IP addresses to be used as host definitions, there is limit of 16,000 for the number of hosts that can be created. This can also be configured from the GUI, for further information about GUI configuration see Configure an FQDN host.

Syntax Description
cache-ttl [60-86400] [ dns-reply-ttl] Set cache-ttl value for FQDN Host. The cache-ttl value represents the time in seconds after which the cached FQDN host to IP address binding will be updated.

Range: 1 – 86400 seconds

Default: 3600 seconds

dns-reply-ttl: use the ttl value in DNS reply packet as cache-ttl
eviction [enable] [ disable] [interval] [ 60-86400] Duration in seconds after which IP addresses for subdomains of wildcard FQDNs are evicted. The available range is 60-86400.
idle-timeout [60-86400] [default] The idle-timeout value represents the time in seconds after which the cached FQDN host to IP address binding is removed.

Range: 60 – 86400 seconds

Default: 3600 seconds
learn-subdomains [enable] [disable] Learn the IP address of subdomains for FQDN using wildcard. Enable if you want to know ip address of subdomains of local traffic and that is passing through Sophos Firewall, that is, traffic that is not destined for or originated by the Sophos Firewall.


Sets parameters for the HTTP proxy as follows:


If you set different minimum versions for the captive portal and web proxy using the command-line console, the web admin console shows only the minimum TLS version for the proxy. It also shows a warning that the minimum TLS versions for the captive portal and web proxy don’t match.

Syntax Description
add_via_header [on] [off] Either add or remove the via header to traffic that passes through the proxy. The via header is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request/response chain.
captive_portal_tlsv1_0 [on] [off] Allow or deny connections using TLS 1.0 to the captive portal. We don't recommend using TLS 1.0 because it's no longer considered secure. Turn on TLS 1.0 only if required for a specific business need.
captive_portal_tlsv1_1 [on] [off] Allow or deny connections using TLS 1.1 to the captive portal. We don't recommend using TLS 1.1 because it's no longer considered secure. Turn on TLS 1.1 only if required for a specific business need.
captive_portal_x_frame_options [on] [off] Enable or disable the addition of the x frame options header for captive portal traffic. The x-frame-options (XFO), is an HTTP response header, also referred to as an HTTP security header, which has been around since 2008. In 2013 it was officially published as RFC 7034, but is not an internet standard. This header tells the browser how to behave when handling a site’s content. The main reason for its inception was to provide clickjacking protection by not allowing rendering of a page in a frame. for further information please see RFC 7034
client_timeout [1-2147483647] [default] Sets the timeout in seconds for clients with established connections via the proxy. The available values are 1-2147483647, default is 60.
connect_timeout [1-2147483647] [default] Sets the timeout value in seconds for connections attempting to be made via the proxy. Available values are 1-2147483647, default is 60.
core_dump [on] [off] Determines whether a coredump file will be created in the event the proxy encounters an error and crashes. Coredump files can help with troubleshooting issues and will be useful to support in the event that issues are encountered.
proxy_tlsv1_0 [on] [off] Allow or deny connections using TLS 1.0 through the proxy. We don't recommend using TLS 1.0 because it's no longer considered secure. Turn on TLS 1.0 only if required for a specific business need.
proxy_tlsv1_1 [on] [off] Allow or deny connections using TLS 1.1 through the proxy. We don't recommend using TLS 1.1 because it's no longer considered secure. Turn on TLS 1.1 only if required for a specific business need.
relay_invalid_http_traffic [on] [off] Determines whether non HTTP traffic sent over HTTP ports should be relayed or dropped by the proxy. Some applications will send traffic over ports normally used by HTTP, 80 and 443, in these instances the proxy may not be able to handle the traffic which can cause issues. If this is the case then it is often advisable to bypass the proxy all together for this traffic.
response_timeout [1-2147483647] [default] Sets the timeout in seconds that the proxy will wait for a response to be received for a new connection before that connection is terminated. Available values are 1-2147483647, default is 60.
tunnel_timeout [1-2147483647] [default] Sets the timeout value in seconds that the proxy will wait for a response whilst trying to set up an HTTPS connection. Available values are 1-2147483647, default is 300.
disable_tls_url_categories [on] [off] Allows you to turn on or turn off category lookup for SSL/TLS Inspection Rules. If disable_tls_url_categories is on, traffic isn't categorized.

This affects which SSL/TLS inspection rule will be chosen. For SSL/TLS inspection rules it will only match those with ANY specified for Categories and websites and nothing else. For example, if there is no SSL/TLS rule with value ANY for Categories and websites, no rule will be matched if disable_tls_url_categories is on, the default behavior applies.

These settings also affect any web policy applied to the traffic. The traffic will be uncategorized when a web policy is applied to it during the TLS handshake. The disable_tls_url_categories setting does not affect categorization of URLs for HTTP or decrypted HTTPS traffic as the full packet contents can be seen in these scenarios.


Allows configuration of the Intrusion Prevention System (IPS). IPS consists of a signature engine (snort) with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at high speed if it finds a match. You can't edit signatures included within the device. The parameters that you can configure are described below.

Syntax Description
enable_appsignatures [on] [off] Turns app based signatures on or off for IPS. App signatures determine the application that is using a specific data stream to help determine if traffic is malicious or should be allowed. By default app based signatures are enabled.
failclose [apply] [off] [on] [timeout] [tcp] [udp] [1-43200] Determines if a connection should be closed in the event of a failure and the timeout in seconds for both tcp and udp connections that pass through IPS. The available timeout values for both UDP and TCP traffic are 1-43200.
http_response_scan_limit [0-262144] Sets the scan limit for HTTP response packets. Available values are 0-262144, for full scanning this should be set to 0.
inspect [all-content] [untrusted-content] Specifies IPS inspection for all or untrusted content.

untrusted-content: Inspects untrusted content only. Doesn't inspect content trusted by SophosLabs. Provides best performance.

all-content: Inspects all content. Provides best security.

Default: Inspects untrusted content only.
ips-instance [apply] [clear] [add] [IPS] [cpu] [0-1] Creates a new IPS cpu instances, clears the IPS instance or applies a new IPS configuration.
ips_mmap [on] [off] Enabling mmap optimizes RAM usage, especially in low-end devices. By default mmap is on.
lowmem-settings [on] [off] Enables or disables low memory settings for IPS. These settings will only be applied in the event that the appliance encounters memory issues.
maxpkts [numeric value above 8] [all] [default] Sets the number of packets to be sent for application classification. By default this is set to 8 but can be changed to send all packets or any number of packets above 8.
maxsesbytes-settings [update] [ numeric value] The maxsesbytes-settings allows you to set the maximum allowed file size to be scanned by IPS. Any file larger the configured size is bypassed and is not scanned. This value is applied per session.
packet-streaming [on] [off] Determines whether packet streaming is to be allowed or not. Packet streaming is used to restrict the streaming of packets in situations where the system is experiencing memory issues.

If stream is set to on, which is the default setting, the IPS engine builds an internal table during a session and deletes them at the end of each session. It also reassembles all incoming packets and checks the data for any known signatures.

If stream is set to off, then protocols such as Telnet, POP3, SMTP, and HTTP are vulnerable as reassembly of packets or segments can no longer occur. Data is sometimes broken up into chunks of packets and must be reassembled to check for signatures, these protocols are now vulnerable to malicious files that are hidden by splitting.
scan_decrypted_port_agnostic [on] [off] Turn on or turn off the matching of HTTP based signatures in decrypted traffic.
search-method [ac-bnfa] [ac-q] [hyperscan] Set the search method to be used for IPS signature pattern matching.

ac-bnfa (low memory usage, high performance)

ac-q (high memory usage, best performance)

hyperscan (low memory usage, best-performance)
sip_ignore_call_channel [enable] [disable] Set whether the audio and video data channels should be ignored. Enable this option to ignore such channels.

Enabled by default.
sip_preproc [enable] [disable] Set whether SIP preprocessor should be enabled or not. Enabling this will scan all the SIP sessions to prevent any network attacks.


When you use advanced shell CLI commands, such as ps, or top, you may see the overall memory consumption for snort as much more than is reported in /proc/meminfo or under Diagnostics in the web admin console. This is because ps and top show the overall reserved memory and not the memory currently in use. This applies when DPDK is enabled, because it uses memory reservation on all XGS versions and on both high-end and low-end systems.


Allows the administrator to add, delete or edit an existing IPS configuration entry.

Syntax Description
add [key] [text] [value] [text] Add a new IPS configuration.
del [key] [text] [value] [text] Delete and existing IPS configuration.
update [key] [text] [value] [text] Update and exiting IPS configuration.


In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there is a power failure or hardware malfunction. When enabled, traffic is bypassed for all modules - onboard and external modules. When power is restored, Sophos Firewall automatically resumes normal functionality. For example, in XG 750, if 7 modules (14 LAN bypass pairs) are connected, bypass is enabled for all 14 pairs.

Syntax Description
off Turns Lan bypass off. This is the default setting.
on Turns Lan bypass on.


Allows you to configure various network parameters including routes, interface speeds, MTU, MAC address and ports.

Syntax Description
interface-speed [PortID] [speed] [1000fd] [100fd] [100hd] [10fd] [10hd] [auto] Allows to configure the interface speed. Values are given in Mbps and either full or half duplex. Auto allows the interface to automatically negotiate speed with the connected neighbor device.
macaddr [PortID] [default] [override] [string value] Allows you to set the MAC address of the interface. Default will keep the existing MAC, if using the override parameter then you will need to define the required MAC address string manually.
mtu-mss [PortID] [mtu ] [number value] [default] [mss] [number value] [default] Allows you to define the required MTU and MSS for interfaces. Default values are, MTU 1500 and MSS 1460.


Allows you to determine if reports are generated on Sophos Firewall or not.

Syntax Description
on Turn on box reports on.
off Turns on box reports off.


Configures port affinity settings. Administrators can manually assign or unassign a CPU core to a specific interface. Once configured, all the network traffic for that interface is handled by the assigned CPU cores.


CPU cores can only be assigned to interfaces that have already been configured.

Port-affinity is not supported with legacy network adapters, for example, when a virtual appliance is deployed in Microsoft Hyper-V.


You don't need to configure port-affinity settings on XGS Firewall devices. For these devices, traffic is load balanced and distributed across CPU cores automatically.

Syntax Description
add [port] [PortID] [bind-with] [start-with] [cpu] [cpu number] Allows you to add port affinity settings to the desired interface.
defsetup Applies the default port affinity configuration.
del [port] [PortID] Deletes current port affinity settings for the selected port.
fwonlysetup This is the legacy default port affinity setup and only handles plain firewall traffic which doesn't include any proxy or IPS traffic.


Allows to define how the proxy will respond to arp requests.

Syntax Description
add [interface] [PortID] [dest_ip] [ dst_iprange] Applies proxy arp settings to the defined interface.
del [interface] [PortID] [dest_ip] [ dst_iprange] Deletes proxy arp settings from the defined interface


Sets a watermark in percentage for the report disk usage. The watermark represents the percentage up to which data can be written to the report disk.

Syntax Description
watermark [default] [numerical value] Sets the watermark level, allowed values are from 60 to 85.

Default: 80.


Allows configuration of routing parameters for multicast group limits,source base route for aliases and wan load balancing.

Syntax Description
multicast-group-limit [numerical value] Applies the multicast group limit. Default: 250.
multicast-decrement-ttl [enable | disable] Turns time to live (TTL) decrement on or off for multicast traffic. When turned on, the TTL will decrease for each multicast packet.
sd-wan-policy-route [system-generate-traffic] [reply-packet] [enable] [disable] Turn policy routes on or off for system-generated traffic and reply packets. Make sure you turn routing on for each of them independently. Policies are configured in the web admin console.
source-base-route-for-alias [enable] [disable] Applies or removes source based routes for alias addresses.

{weighted-round-robin [ip-family {ipv4 | ipv6 | all}]}

{session-persistence {source-only | destination-only | source-and-destination | connection-based} [ip-family {ipv4 | ipv6 | all}]}

Configures WAN load balancing to balance traffic between multiple WAN interfaces.

Session persistence will send traffic for the same session over a specific interface. Weighted round robin will pass traffic over different interfaces depending on the load that each interface is experiencing.

When using session persistence to balance traffic this can be defined in four ways.

Connection based send all traffic related to the same connection over the same interface.

Destination only send all traffic to a specific source over the same interface.

Source and destination sends all traffic between the same source and destination over the same interface.

Source only sends all traffic from a specific source over the same interface.

Furthermore you can choose to balance just IPv4, IPv6 or all traffic.


By default Sophos Firewall inspects all HTTP, HTTPS, FTP, SMTP/S, POP and IMAP traffic on the standard ports. Use service-param to enable inspection of traffic sent over non-standard ports.

Syntax Description
FTP [add] [delete] [port] [port number]

HTTP [add] [delete] [port] [port number]

IMAP [add] [delete] [port] [port number]

IM_MSN [add] [delete] [port] [port number]

IM_YAHOO [add] [delete] [port] [port number]

POP [add] [delete] [port] [port number]

HTTPS [add] [delete] [port] [port number] [deny_unknown_proto] [on] [off] [invalid-certificate] [allow] [block]

SMTP [add] [delete] [port] [port number] [failure_notification] [on] [off] [fast-isp-mode] [on] [off] [notification-port] [add] [port] [port number] [strict-protocol-check] [on] [off]

SMTPS [add] [delete] [port] [port number] [invalid-certificate] [allow] [block]
To allow inspection of traffic on non-standard ports for a specific protocol use the add port commands, this works for all services available within the service-param command list.

HTTPS, SMTP and SMTPS have further options available.


Allows you set various network parameters for interfaces such as speed, MAC address, MTU-MSS and LAG details.

Syntax Description
interface-speed [Port] [speed] [speed value] Available speed values are: 1000fd, 100fd, 100hd, 10fd, 10hd or auto. The fd and hd denote half or full duplex.
macaddr [Port] [default] [override] [string] Allows to set the MAC address of an interface. Here string would be the new MAC address you want to use.
mtu-mss [Port] [default] [number] Sets the MTU-MSS value foe the interface. Default is 1500.
lag-interface [interface_name] [lag-mgt] [active-backup] [auto] [Port] [lacp] [lacp-rate] [fast] [slow] [static-mode] [enable] [disable] [xmit-hash-policy] [layer2] [layer2+3] [layer3+4] [link-mgt] [down-delay] [value] [garp-count] [value] [monitor-interval] [value] [up-delay] [value] Allows you to set various parameters for any configured lag interfaces. Where the variable is stated as value, the available values are shown below.

down-delay available values 0-10000 milliseconds

garp-count values 0-255

monitor-interface values 0-10000 milliseconds

up-delay values 0-10000 milliseconds


Allows you to set various parameters for VPN connections including failover settings, authentication settings and MTU.

Syntax Description
conn-remove-on-failover [all] [non-tcp] [conn-remove-tunnel-up] [disable] [enable] [l2tp] [authentication] [ANY] [CHAP] [MS_CHAPv2] [PAP] [mtu] [number] [pptp] [authentication] [ANY] [CHAP] [MS_CHAPv2] [PAP] Authentication parameters can be set for L2TP and PPTP vpns aswell as global failover and failback parameters for all traffic or just non tcp traffic. MTU can be set for L2TP, the available values are 576 – 1460, default is 1410.
Back to top