Skip to content

Device console

This page describes the CLI console and the various commands available in the base console.

The device console is used to perform various checks on the system and to view logs files for troubleshooting.

When using the command line, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

Sophos Firewall has inbuilt help at the command prompt itself to help users with the syntax without the need to exit from the CLI.

To view the list of available commands go to Option 4 (Device Console) and press Tab. The following is displayed:

clear               ping            telnet
disableremote       ping6           telnet6
dnslookup           set             traceroute
dnslookup6          show            traceroute6
drop-packet-capture system
enableremote        tcpdump

Once you start typing a command you can press Tab again to view the list of arguments that are supported or required. Example: When you type ping and press Tab, you are presented with the list of parameters that are required or allowed as shown below:

ping
<ipaddress>    count       quiet       sourceip
<string>       interface   size        timeout

Type the command and then press ? to view the list of arguments supported with descriptions. Example: when you type ping and press ?, all parameters are shown with descriptions.

ping
quiet          display the summary at startup and end
count          Stop after sending count packets
size           Number of data bytes to be sent
timeout        timeout 'in seconds' before ping exits
interface      Bind interface
sourceip       Bind source ipaddress
<ipaddress>    A.B.C.D (0 <= A,B,C,D < 256)
<string>       Alpha-Numeric TEXT with/without quotes

To return the main menu type exit.

Below you will find a list of CLI commands and descriptions of their functions.

set

Use set to configure various system parameters. For further information on the available parameters see set.

system

Use system to configure various settings. For further information on the available options see system.

clear

Clears the screen.

disableremote

Disables remote connectivity over SSH, if enabled. By default it is not enabled. The appliance will no longer listen on port 22 for new connections, and existing ones will be terminated. Refer to enableremote to allow remote SSH connections.

dnslookup

Query internet domain name servers to resolve hostnames.

Parameter list & description

Syntax Description
Host ipaddress
Host url
Host to be searched.
Server ipaddress [host] Internet name or address of the name server.

dnslookup6

Query internet domain name servers to resolve IPv6 hostnames.

Parameter list and description

Syntax Description
Host ipaddress
Host url
Host to be searched.
Server ipaddress [host] Internet name or address of the name server.

drop-packet-capture

Displays the packets dropped by firewall rules. It will provide connection details and details of the packets processed by the device. This will help administrators to troubleshoot firewall rules. You can also filter the dropped packets.

Syntax Description
text BPF (Berkeley Packet Filter) Compatible Packet Filter Expression.
interface port Listen on this interface.
snaplen 20-68835 Number of bytes to capture.
How to check packets of the Example
Specific host host 10.10.10.1
Specific source host src host 10.10.10.1
Specific destination host dst host 10.10.10.1
Specific network net 10.10.10.0
Specific source network src net 10.10.10.0
Specific destination network dst net 10.10.10.0
Specific port port 20
Two specific ports port 20 or port 21
Specific source port src port 21
Specific destination port dst port 21
Specific host for a specific port host 10.10.10.1 and port 21
Specific host for all ports except SSH host 10.10.10.1 and port not 22
Specific protocol proto ICMP, proto UDP, proto TCP

enableremote

Allows remote SSH connections to Sophos Firewall. The appliance will listen for SSH connections on the specified port and will allow connections from the specified addresses.

Syntax Description
port number Ethernet port on the appliance through which a remote SSH can be established.
serverip ipaddress Host IP address from which SSH connections to the appliance will be allowed.

ping

Sends ICMP ECHO_REQUEST packets to IPv4 network hosts and listens for the corresponding ECHO_REPLY.

Syntax Description
ipaddress IP Address to be pinged.
string Domain to be pinged.
count number Send a specific number of packets. Ping will stop after the count number is reached.
interface interfaceid Set the interface on Sophos Firewall to send packets from.
quiet Display a summary only at start and end of the ping sequence.
size number Specifies the length, in bytes of the data field in the echo request messages sent. The default is 32. The maximum size is 65,527.
sourceip ipaddress Specifies the source IP address packets will be sent from.
timeout number Stop sending packets and exit from ping after specified time is reached.

ping6

Send ICMPv6 ECHO_REQUEST packets to IPv6 network hosts and listens for the corresponding ECHO_REPLY.

Syntax Description
ipaddress6 IPv6 address to be pinged.
count number Send a specific number of packets. Ping will stop after count number is reached.
interfaceinterfaceid Set the interface on Sophos Firewall to send packets from.
quiet Display a summary only at start and end of the ping sequence.
size number Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

tcpdump

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

Syntax Description
text Packet filter expression. Based on the specified filter, packets are dumped. If no expression is given, all packets are dumped otherwise only packets for which the expression is true are dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. Refer to the below example table on writing filtering expressions.
count number Exit tcpdump after receiving specified number of packets.
filedump Tcpdump output can be generated based on criteria required. The output file can be found under /tmp.
hex Print each packet (minus its link level header) in hexadecimal notation.
interface interfaceid Specifies the interface to listen on.
llh View packet contents with ethernet or other layer 2 header information.
no_time Do not print a timestamp for each dump line.
quite Print less protocol information so that output lines are shorter.
verbose Verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

Below you will find some examples of how to use the tcpdump command to view different information.

Note

Expressions can be combined using logical operators AND, OR and NOT. Make sure when using different combinations to encapsulate the full query within single quotes.

How to view traffic of tcpdump command Example
Specific host tcpdump 'host <ipaddress>' tcpdump 'host 10.10.10.1'
Specific network tcpdump 'net <network address>' tcpdump 'net 10.10.10.0'
Specific source network tcpdump 'src net <network address>' tcpdump 'src net 10.10.10.0'
Specific destination network tcpdump 'dst net <network address>' tcpdump 'dst net 10.10.10.0'
Specific port tcpdump 'port <portnumber>' tcpdump 'port 21'
Specific source port tcpdump 'src port <port number>' tcpdump 'src port 21'
Specific destination port tcpdump 'dst port <port number>' tcpdump 'dst port 21'
Specific host and specific port tcpdump 'host <ipaddress> and port <port number>' tcpdump 'host 10.10.10.1 and port 21'
Specific host and all ports except SSH tcpdump 'host <ipaddress> and port not <port number>' tcpdump 'host 10.10.10.1 and port not 22'
Specific protocol tcpdump 'proto <protocol name>'

tcpdump 'proto ICMP'

tcpdump 'proto UDP'

Specific interface tcpdump interface <interface id> tcpdump interface port2
Specific port on a specific interface tcpdump interface <interface id> 'port <port number>' tcpdump interface port2 'port 21'

telnet

Use telnet to connect to another remote computer. Can be used to check if a system is accepting connections on a specific port. Telnet data is sent in clear text so for admin tasks it is advised to use SSH when possible.

Syntax Description
ipaddress port number FQDN, alias or IP address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

telnet6

Use telnet6 to connect via telnet to an IPv6 addressed system

Syntax Description
ipv6address port number FQDN, alias or IPv6 address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

traceroute

Traceroute traces the path packets take from an IPv4 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.

Syntax Description
<ipaddress> Specifies the destination IP address to trace the route to.
<string> Specifies the domain to trace the route to.
first-ttl Sets the initial time to live used in the first outgoing packet.
icmp Use ICMP ECHO instead of UDP datagrams.
max-ttl Specifies the maximum time to live of packets.
no-frag Sets the don't fragment bit in the sent packets.
probes Probes are sent at each ttl. Default value is 3.
source Sets the specified IP address as the source address of sent packets.
timeout Sets the timeout in seconds for a response to a probe. Default is 5.
tos For IPv4, set the Type of Service (TOS) and Precedence value. Useful values are 16 (low delay) and 8 (high throughput).

traceroute6

Traceroute6 traces the path packets take from an IPv6 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.

Syntax Description
<ipv6address> Specifies the destination IPv6 address to trace the route to.
<string> Specifies the domain to trace the route to.
first-ttl Sets the initial time to live used in the first outgoing packet.
icmp Use ICMP ECHO instead of UDP datagrams.
max-ttl Specifies the maximum time to live of packets.
no-frag Sets the don't fragment bit in the sent packets.
probes Probes are sent at each ttl. Default value is 3.
source Sets the specified IP address as the source address of sent packets.
timeout Sets the timeout in seconds for a response to a probe. Default is 5.
tos Sets the type of service. For IPv6, this is referred to as the Traffic Control value.

show

Enter the following command: show <setting>

Example: show advanced-firewall

You can see the settings for the following configurations:

Syntax Description
advanced-firewall Displays the currently configured advanced firewall parameters. For a full explanation of parameters please refer to set
arp-flux Shows if arp-flux is currently turned on or off.

country-host

ip2country ipaddress

list

Use the ip2address > ipaddress option to find the country that hosts a specific IP address. Use the list parameter to list the stored IP addresses and the country that hosts them.
fqdn-host

Displays the configured parameters for:

  • cache-ttl- idle-timeout
  • learn-subdomains- IP eviction
http_proxy

Displays to following configured parameters for the HTTP proxy.

  • add_via_header- core_dump
  • relay_invalid_http_traffic- connect_timeout
  • tunnel_timeout- client_timeout
  • response_timeout- proxy_tlsv_0
  • captive_portal_tlsv1_0- captive_portal_x_frame_options
ips-settings Displays the currently configured IPS settings and running instances.
ips_conf Shows the current IPS configuration.
lanbypass Shows the current lanbypass configuration. In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there is power failure or hardware malfunction.
license_status Shows if the license is active or not and if it's synchronized.
logs {log file} [lines] {number} Shows the file's latest logs based on the specified number of lines.

nat-policy

application-server

failover

mail-notification

Displays the nat policy settings, enabled or disabled, for the protected application servers.
network Displays various configured network parameters according to the filters used.
on-box-reports Shows the status of local reporting.
port-affinity Shows the status of configured bridge ports.
pppoe connection status Shows the status of PPPoE connections.
proxy-arp Shows the proxy ARP table.
report-disk-usage watermark

Shows the percentage threshold for warning of space usage in the report partition.

Default: 80 (SFOS 19.5 MR3 and earlier) and 70 (SFOS 19.5 MR4 and later)

routing Shows routing information.
scanengine Shows virus scan engine Live Protection status, thread count, and buffer size.
service-param Shows non-standard service-to-port mapping and HTTPS, MTA, and SMTP(S) configuration details.
support_access Shows the status of the remote support access tunnel. This is the connection you open for Sophos Support to access Sophos Firewall for troubleshooting.

vpn

IPSec-logs

L2TP-logs

PPTP-logs

configuration

connection status

ipsec-performace

Shows VPN details.

Use IPSec-logs, L2TP-logs, or PPTP-logs to see logs for the specified type of VPN connection. Use configuration to see the LT2P and PPTP configurations.

Use connection status to see the current connection status of the active VPNs.

Use ipsec-performace to see performance details of the current IPsec connections.

More resources