Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

set

Details of the system components that are configurable via the set command.

Use the set command to define settings and parameters for various system components.

For example, after typing set, press tab to view the list of components you can configure. These options and their parameters are described below.

Syntax description

set main-command option [arguments] {user defined input} <ranges>
Example

set advanced-firewall icmp-error-message allow

set advanced-firewall add dest_host 10.1.1.10

advanced-firewall

The advanced-firewall option allows the configuration of various firewall-related parameters and settings such as the traffic to be inspected, protocol timeout values, and traffic fragmentation. The full list of parameters available for configuration is shown in the table below.

Syntax Description
bypass-stateful-firewall-config [add|del] [dest_host|dest_network] {IP address | network IP address / netmask} [source_host|source_network] { IP address | network IP address / netmask}

Add a host or network where the outbound and return traffic does not always pass through Sophos Firewall.

You can add or delete either single hosts or entire networks.

restrict-admin-console-wan-access [enable|disable]

Allow or deny access to the web admin console from all WAN sources.

If you enter enable, you turn off access from all WAN sources. This ensures higher security levels. See Best practices.

Default: enable

icmp-error-message [allow|deny] Allow or deny ICMP error packets describing problems such as network, host or port unreachable, and destination network or host unknown.
strict-icmp-tracking [on|off] Allow or drop ICMP reply packets. Setting this option On drops all ICMP reply packets.
tcp-selective-acknowledgement [on|off]

With TCP selective acknowledgement (SACK), the firewall allows the receiver to inform the sender about the specific segments it receives. The sender can then retransmit only the lost and out-of-order segments rather than the entire TCP window, ensuring efficient retransmission.

It minimizes unnecessary retransmissions, reduces latency, and enhances the throughput, ensuring more reliable data transmission.

tcp-window-scaling [on|off]

With window scaling, the firewall extends the TCP window size beyond the traditional 16-bit limit (64 KB) supporting high-bandwidth networks. By increasing the window size, it ensures larger data transfers in a single TCP connection, enhancing the throughput and reducing latency.

It optimizes flow control by dynamically adjusting the window size based on network capacity, avoiding congestion, and optimizing data transmission. See RFC1232.

fragmented-traffic [allow|deny] Allow or deny fragmented traffic. IP Fragmentation is the process of breaking down an IP datagram into smaller packets before transmitting and reassembling them at the receiving end. See RFC4459 section 3.1
ipv6-unknown-extension-header [allow|deny] Allow or drop IPv6 packets with unknown extension headers.
strict-policy [on|off] When strict policy is applied, the device drops specific traffic and IP-based attacks against the firewall. By default, strict policy is always on. When strict policy is off, strict firewall policy is disabled.
tcp-est-idle-timeout <2700-432000> Sets the idle timeout value in seconds for established TCP connections. Available values are 2700-432000.
tcp-seq-checking [on|off] Every TCP packet contains a Sequence Number (SYN) and an Acknowledgment Number (ACK). Sophos Firewall monitors SYN and ACK numbers within a certain window to ensure that the packet is part of the session. However, certain applications and third-party vendors use non-RFC methods to verify a packet's validity or for some other reason, so a server may send packets with invalid sequence numbers and expect an acknowledgment. For this reason, Sophos Firewall offers the ability to turn off this feature.
udp-timeout <30-3600> Set the timeout value in seconds for UDP connections that haven't yet been established. Available values are 30 to 3600.
udp-timeout-stream <30-3600> Set the timeout value in seconds for UDP stream connections. Available values are 30 to 3600. A UDP stream is established when two clients send UDP traffic to each other on a specific port and between network segments. Example: LAN to WAN.
ftpbounce-prevention [control|data] Prevent FTP bounce attacks on FTP control and data connections. Traffic is considered an FTP bounce attack when an attacker sends a PORT command with a third-party IP address to an FTP server instead of its own IP address.
midstream-connection-pickup [on|off] Configure midstream connection pickup settings. Enabling midstream pickup of TCP connections will help while plugging in the Sophos Firewall as a bridge in a live network without any loss of service. You can also use it for handling network behavior due to peculiar network design and configuration. For example, atypical routing configurations leading to ICMP redirect messages. Sophos Firewall is default configured to drop all untracked (mid-stream session) TCP connections in both deployment modes.
sys-traffic-nat [add|delete] [destination] {destination IP address} [interface] {interface} [netmask] {netmask} [snatip] {snat IP address}

Administrators can NAT the traffic generated by the firewall so that the IP addresses of its interfaces aren't exposed or to change the NAT'd IP for traffic going to a set destination.

Example: set advanced-firewall sys-traffic-nat add destination 172.16.16.5 snatip 192.168.2.1

tcp-frto [on|off] Turn on or off forward RTO-Recovery (F-RTO). F-RTO is an enhanced recovery algorithm for TCP retransmission time-outs. It's particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is a sender-side only modification. Therefore it does not require any support from the peer.
tcp-timestamp [on|off] Turn on or off TCP timestamps. Timestamp is a TCP option used to calculate the round trip measurement in a better way than the forward RTO-recovery method.
route-cache [on|off] Turn on or turn off the route cache. Route caching allows the per-destination load-balancing of outgoing traffic.
ipv6-ready-logo-compliance [on|off] Turn IPv6 ready logo compliance on or off. IPv6 ready logo is a testing program that shows IPv6 is working and ready to use. When it's turned on, the firewall will pass the IPv6 logo tests.

arp-flux

ARP flux occurs when multiple ethernet adapters, often on a single device, respond to an ARP query. Due to this, a problem with the link-layer address to IP address mapping can occur. Sophos Firewall may respond to ARP requests from both Ethernet interfaces. On the device creating the ARP request, these multiple answers can cause confusion. ARP flux only takes effect when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.

Syntax Description
on Sophos Firewall may respond to ARP requests from both ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.
off Sophos Firewall responds to ARP requests from respective ethernet interfaces when Sophos Firewall has multiple physical connections to the same medium or broadcast domain.

dns

TTL (time-to-live) determines how long it takes for a DNS record change to take effect. The domain's DNS record is cached until the next lookup. Sophos Firewall performs DNS lookups at the default interval rather than the TTL value in the DNS record for domains that resolve to localhost.

Change the interval at which the DNS lookups for localhost take place. For example, you can specify a lower TTL value to ensure Sophos Firewall updates its record earlier when you change the DNS record entry from localhost to another host.

Syntax Description
localhost-ttl <60-655360>

Interval (in seconds) at which DNS lookups for domains that resolve to localhost occur.

Range: 60 to 655360 seconds
Default: 655360 seconds

fqdn-host

You can configure Fully Qualified Domain Name (FQDN) hosts. DNS servers resolve FQDN requests to IP addresses. You can create up to 16,000 FQDN hosts. You can also configure these on the web admin console.

Syntax Description
cache-ttl <60-86400> [dns-reply-ttl]

Set cache-ttl value for FQDN Host. The cache-ttl value represents the time in seconds after which the cached FQDN host to IP address binding will be updated.

Range: 1 to 86400 seconds

Default: 3600 seconds

dns-reply-ttl: use the ttl value in the DNS reply packet as cache-ttl

eviction [enable | disable] [interval] <60-86400> Duration in seconds after which IP addresses for subdomains of wildcard FQDNs are evicted. The available range is 60 to 86400.
idle-timeout <60-86400> [default]

The idle-timeout value represents the time in seconds after which the cached FQDN host to IP address binding is removed.

Range: 60 to 86400 seconds

Default: 3600 seconds

learn-subdomains [enable | disable] Learn the IP address of subdomains for FQDN using a wildcard. Turn it on if you want to know the IP address of subdomains of local traffic that passes through Sophos Firewall and that isn't destined for or originated by Sophos Firewall.

http_proxy

Sets parameters for the HTTP proxy as follows:

Note

If you set different minimum versions for the captive portal and web proxy using the command-line console, the web admin console shows only the minimum TLS version for the proxy. It also shows a warning that the minimum TLS versions for the captive portal and web proxy don’t match.

Syntax Description
add_via_header [on | off] Either add or remove the via header for traffic that passes through the proxy. The via header is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request and response chain.
block_proxy_loop [on | off]

Turn proxy loop blocking on or off. A proxy loop occurs when a proxy forwards a request to itself or receives a request from another proxy. When you turn on block_proxy_loop, the firewall drops traffic when it detects duplicate Via headers in packets.

To trace proxy loop logs, make sure block_proxy_loop is turned on and that the awarrenhttp service is in debug mode. This is turned off by default. Turning it on impacts performance, and you must turn it on only for troubleshooting purposes.

The awarrenhttp.log file shows the message "Duplicate Via header values, proxy loop" when a proxy loop is detected.

captive_portal_tlsv1_0 [on | off]

Allow or deny connections using TLS 1.0 to the captive portal.

We don't recommend using TLS 1.0 because it isn't secure. This should only be turned on if you require it for a specific business need.

captive_portal_tlsv1_1 [on] [off]

Allow or deny connections using TLS 1.1 to the captive portal.

We don't recommend using TLS 1.1 because it isn't secure. This should only be turned on if you require it for a specific business need.

captive_portal_x_frame_options [on | off] Turn the x-frame-options header on or off for captive portal traffic The x-frame-options (XFO) is an HTTP response header, also referred to as an HTTP security header, has existed since 2008. In 2013 it was officially published as RFC 7034 but isn't an internet standard. This header tells the browser how to behave when handling a site’s content. The main reason for its introduction was to provide clickjacking protection by not allowing the rendering of a page in a frame. See RFC 7034
client_timeout <1-2147483647> [default] Sets the timeout in seconds for clients with established connections via the proxy. The available values are 1 to 2147483647. Default is 60.
connect_timeout <1-2147483647> [default] Sets the timeout value in seconds for connections attempting to be made via the proxy. Available values are 1 to 2147483647. Default is 60.
core_dump [on | off] Determines whether a coredump file will be created if the proxy encounters an error and crashes. Coredump files can help troubleshoot issues.
disable_tls_url_categories [on | off]

Allows you to turn on or turn off category lookup for SSL/TLS inspection rules. If disable_tls_url_categories is on, traffic isn't categorized.

This affects which SSL/TLS inspection rule is chosen. For SSL/TLS inspection rules, it'll only match those with ANY specified for Categories and websites and nothing else. For example, if there's no SSL/TLS rule with value ANY for Categories and websites, no rule will be matched if disable_tls_url_categories is on. The default behavior applies.

These settings also affect any web policy applied to the traffic. The traffic is uncategorized when a web policy is applied during the TLS handshake. The disable_tls_url_categories setting does not affect the categorization of URLs for HTTP or decrypted HTTPS traffic, as the full packet contents are seen in these scenarios.

proxy_tlsv1_0 [on | off]

Allow or deny connections using TLS 1.0 through the proxy when HTTPS is decrypted.

We don't recommend using TLS 1.0 because it isn't secure. This should only be turned on if you require it for a specific business need.

proxy_tlsv1_1 [on] [off]

Allow or deny connections using TLS 1.1 through the proxy when HTTPS is decrypted.

We don't recommend using TLS 1.1 because it isn't secure. This should only be turned on if you require it for a specific business need.

relay_invalid_http_traffic [on | off] Determines whether non-HTTP traffic sent over HTTP ports is relayed or dropped by the proxy. Some applications will send traffic over ports normally used by HTTP (80 and 443). In these instances, the proxy may not be able to handle the traffic, which can cause issues. If this is the case, we advise you bypass bypassing the proxy for this traffic.
response_timeout <1-2147483647> [default] Sets the timeout in seconds that the proxy waits for a response from a new connection before the connection is terminated. Available values are 1 to 2147483647. Default is 60.
tlsciphers_server [cipher string]

Sets the supported ciphers for both captive portal and the proxy. This is specified in cipher string format.

Example:

HIGH:!RC4:!MD5:!aNULL

tunnel_timeout <1-2147483647> [default] Sets the timeout value in seconds that the proxy waits for a response while trying to set up an HTTPS connection. Available values are 1 to 2147483647. Default is 300.

ips

Allows configuration of the Intrusion Prevention System (IPS). IPS consists of a signature engine (snort) with a predefined set of signatures. Signatures are patterns that are known to be harmful. IPS compares traffic to these signatures and responds at high speed if it finds a match. You can't edit signatures included within the device. To see the configured settings, see the show command.

You can configure the following settings:

Syntax Description
enable_appsignatures [on | off] Turns app-based signatures on or off for IPS. App signatures enable the firewall to identify malicious applications based on matching traffic patterns. The option is turned on by default.
failclose [apply] [off | on] [timeout] [tcp | udp] <1-43200> Determines if a connection should be closed in the event of a failure, and the timeout in seconds for both tcp and udp connections that pass through IPS. The available timeout values for UDP and TCP traffic are 1 to 43200.
http_response_scan_limit <0-262144> Sets the scan limit for HTTP response packets. Available values are 0 to 262144. For full scanning, you must set this to 0.
inspect [all-content | untrusted-content]

Specifies IPS inspection for all or untrusted content.

untrusted-content: Inspects untrusted content only. Doesn't inspect content trusted by SophosLabs. Provides the best performance.

all-content: Inspects all content. Provides the best security.

Default: Inspects untrusted content only. This is secure enough for most users.

ips-instance [apply | clear | add] [IPS] [cpu] <0-1> Creates a new IPS CPU instance, clears the IPS instance or applies a new IPS configuration.
ips_mmap [on | off] Enabling mmap optimizes RAM usage, especially in low-end devices. By default, mmap is on.
maxpkts [numeric value more than 8 | all | default]

The number of packets scanned in new and updated connections from the client and the server. For example, the firewall scans the first eight packets from the client and the first eight packets from the server.

Default: 8

To identify complex or evasive applications, such as proxy or P2P applications, we recommend setting it to 80. See Configure recommended settings for P2P and Proxy and Tunnel.

Setting this value too high results in reduced connection speed.

packet-streaming [on | off]

Determines whether packet streaming is to be allowed or not. Packet streaming is used to restrict the streaming of packets in situations where the system is experiencing memory issues.

If packet-streaming is set to on, which is the default setting, the IPS engine builds an internal table during a session and deletes it at the end. It also reassembles all incoming packets and checks the data for known signatures.

If packet-streaming is set to off, then protocols such as Telnet, POP3, SMTP, and HTTP are vulnerable as reassembly of packets or segments can no longer occur. Data is sometimes broken up into chunks of packets and must be reassembled to check for signatures. These protocols are now vulnerable to malicious files that are hidden by splitting.

pki-acceleration [enable | disable]

Offloads the re-signing of X.509 server certificates for SSL/TLS flows inspected by the DPI engine to the crypto hardware on the Xstream Flow Processor.

Default: Enabled on the supported versions and appliances.

On SFOS versions and XGS Series models that don't support PKI acceleration, its status appears as disabled. See Summary of supporting versions and appliance models.

To see the pki-acceleration status, enter show ips-settings. See show commands.

For PKI acceleration to take effect, firewall acceleration must be turned on. If PKI acceleration is turned on but firewall acceleration is turned off, the status appears as enabled (inactive). See Firewall acceleration.

search-method [ac-bnfa | ac-q | hyperscan]

Set the search method for IPS signature pattern matching.

ac-bnfa: low memory usage, high performance.

ac-q: high memory usage, best performance.

hyperscan: low memory usage, best-performance.

sip_ignore_call_channel [enable | disable]

Set whether the audio and video data channels should be ignored. Enable this option to ignore such channels.

Enabled by default.

sip_preproc [enable | disable] Set whether the SIP preprocessor should be enabled or not. If you enable this, it scans all the SIP sessions to prevent any network attacks.
tcp urgent-flag [allow | remove]

Set how IPS handles the TCP urgent flag and pointer, if the flag is sent in TCP packets. Default is remove.

allow: Allows the urgent flag and pointer without changing the packet.

remove: Removes and resets the urgent flag and pointer.

Note

When you use advanced shell CLI commands, such as ps, or top, you may see the overall memory consumption for snort as much more than is reported in /proc/meminfo or under Diagnostics in the web admin console. This is because ps and top show the overall reserved memory, not the memory currently in use. This applies when firewall acceleration is turned on because it uses memory reservation on all XGS versions.

ips_conf

Allows the administrator to add, delete or edit an existing IPS configuration entry.

Syntax Description
add [key] [text] [value] [text] Add a new IPS configuration.
del [key] [text] [value] [text] Delete and existing IPS configuration.
update [key] [text] [value] [text] Update and exiting IPS configuration.

lanbypass

When turned on, the firewall's LAN bypass, or Fail to wire (FTW), is armed. In this mode, the firewall bridges one or both bypass port pairs, allowing uninterrupted traffic flow without scanning when there's a power failure or hardware malfunction. The firewall automatically resumes normal functionality when power is restored. See Sophos Firewall: Configure LAN Bypass.

Syntax Description
off Turns lanbypass off. This is the default setting.
on Turns lanbypass on.

network

Allows you to set various interface network parameters, such as link mode (speed and duplex), MAC address, MTU-MSS, and LAG.

Syntax Description
interface-link [PortID] [linkmode] [1000fd] [100fd] [100hd] [10fd] [10hd] [auto] [autoneg] [on] [off] [fecmode]

Allows you to configure the interface speed and duplex. Values are in Mbps and either full or half duplex. Auto allows the interface to automatically negotiate speed with the connected neighbor device.

Turn auto-negotiation of speed and duplex on or off and select a Forward Error Correction (FEC) mode for the interface. FEC modes depend on the appliance model.

macaddr [PortID] [default] [override] [string value] Allows you to set the MAC address of the interface. Default keeps the existing MAC address. If you're using the override parameter, enter the MAC address manually.
mtu-mss [PortID] [mtu ] [number value] [default] [mss] [number value] [default] Allows you to define the required MTU and MSS for interfaces. Default values are MTU 1500 and MSS 1460.
lag-interface [interface_name] [lag-mgt] [active-backup] [auto] [Port] [lacp] [lacp-rate] [fast] [slow] [static-mode] [enable] [disable] [xmit-hash-policy] [layer2] [layer2+3] [layer3+4] [link-mgt] [down-delay] [value] [garp-count] [value] [monitor-interval] [value] [up-delay] [value]

Allows you to set various parameters for any configured lag interfaces. Where the variable is stated as value, the available values are as follows:

down-delay: 0-10000 milliseconds

garp-count: 0-255

monitor-interface: 0-10000 milliseconds

up-delay: 0-10000 milliseconds

on-box-reports

Allows you to turn on or turn off on-box reports.

Syntax Description
on Turn on-box reports on.
off Turn on-box reports off.

Note

You can only turn all reports on or off. You can't turn specific module reports on or off.

port-affinity

You can configure port affinity. Administrators can manually assign or unassign a CPU core to a specific interface. Once you configure this, the assigned CPU cores handle all the network traffic for that interface.

Note

You can only assign CPU cores to interfaces that have already been configured.

Port-affinity isn't supported with legacy network adapters, for example, when a virtual appliance is deployed in Microsoft Hyper-V.

Note

You don't need to configure port-affinity settings on XGS Firewall devices. Traffic is load-balanced and distributed across CPU cores for these devices automatically.

Syntax Description
add [port] {PortID} [bind-with | start-with] [cpu] [cpu number] Allows you to add port affinity settings to the desired interface.
defsetup Applies the default port affinity configuration.
del [port] {PortID} Deletes current port affinity settings for the selected port.
fwonlysetup This is the legacy default port affinity setup and only handles plain firewall traffic, which doesn't include any proxy or IPS traffic.

proxy-arp

Allows you to define how the proxy responds to ARP requests.

Syntax Description
add [interface] {PortID} [dest_ip | dst_iprange] {destination IP | destination IP range} Applies proxy arp settings to the defined interface.
del [interface] {PortID} [dest_ip | dst_iprange] {destination IP | destination IP range} Deletes proxy arp settings from the defined interface

report-disk-usage

Sets a percentage limit for the /var partition's disk usage.

Syntax Description
watermark [default | <50-75>]

Sets the limit at which a control center alert and an event log are generated. Allowed values are from 50 to 75.

Default: 70.

Warning

We recommend that you free up disk space. When disk usage crosses 80 percent, reporting stops. See Disk space for logs and reports.

routing

Allows configuration of routing parameters for multicast group limits, policy-based IPsec VPN, source base route for aliases, and WAN load balancing.

Syntax Description
multicast-group-limit <number> Applies the multicast group limit. Default is 250.
policy-based-ipsec-vpn system-generate-traffic [enable | disable]

Turn on or off policy-based IPsec VPN routes for system-generated traffic.

Default: On

Warning: This will restart all IPsec tunnels. Plan your downtime accordingly.

multicast-decrement-ttl [enable | disable] Turn on or turn off TTL decrementing for multicast traffic.
sd-wan-policy-route [system-generate-traffic] [reply-packet] [enable | disable] Turn policy routes on or off for system-generated traffic and reply packets. Make sure you turn routing on for each of them independently. Policies are configured in the web admin console.
source-base-route-for-alias [enable | disable] Applies or removes source-based routes for alias addresses. You must turn this option on when you have multiple WAN interfaces and want to use alias addresses for IPSec connections.
wan-load-balancing [session-persistence | weighted-round-robin] [connection-based | destination-only | source-and-destination | source-only] [ip-family] [all | ipv4 | ipv6]

Configures WAN load balancing to balance traffic between multiple WAN interfaces.

Session persistence sends traffic for the same session over a specific interface. Weighted round robin passes traffic over different interfaces depending on the load that each interface experiences.

You can define these four ways when using session persistence to balance traffic.

Connection-based sends all traffic related to the same connection over the same interface.

Destination-only send all traffic to a specific source over the same interface.

Source-and-destination based sends all traffic between the same source and destination over the same interface.

Source-only sends all traffic from a specific source over the same interface.

Furthermore, you can choose to balance just IPv4, IPv6, or all traffic.

service-param

Sophos Firewall inspects all HTTP, HTTPS, FTP, SMTP/S, POP, and IMAP traffic on the standard ports by default. Use service-param to turn on inspection of traffic sent over non-standard ports.

Syntax Description
FTP [add | <p>delete] [port] {portID}

HTTP [add | <p>delete] [port] {portID}

IMAP [add | <p>delete] [port] {portID}

IM_MSN [add | <p>delete] [port] {portID}

IM_YAHOO [add | <p>delete] [port] [port number]

POP [add | <p>delete] [port] {portID}

HTTPS [add | delete] [port] {portID} [deny_unknown_proto] [on | off] [invalid-certificate] [allow | <p>block]

SMTP [add | delete] [port] {portID} [failure_notification] [on | off] [fast-isp-mode] [on | off] [notification-port] [add] [port] {portID} [strict-protocol-check] [on | <p>off]

SMTPS [add | delete] [port] {portID} [invalid-certificate] [allow | block]

To allow inspection of traffic on non-standard ports for a specific protocol use the add port commands. This works for all services available within the service-param command list.

There are more options available for HTTPS, SMTP, and SMTPS.

support_access

Allows you to turn support access on or off.

Syntax Description
[enable|disable] Turn support access on or off. If you turn it on, it shows the access ID and the access duration.

vpn

Allows you to set various parameters for VPN connections, including failover settings, authentication settings, and MTU.

Note

Some of these are advanced settings. Use them based on your network requirement or based on advice from Sophos Support.

Syntax Description
conn-remove-on-failover [all | non-tcp] [conn-remove-tunnel-up] [enable | disable] [l2tp | pptp] [authentication] [ANY | CHAP | MS_CHAPv2 | PAP] [mtu] <576-1460> Authentication parameters can be set for L2TP and PPTP VPNs, in addition to global failover and failback parameters for all traffic or non TCP traffic. MTU can be set for L2TP. The available values are 576 to 1460. Default is 1410.

ipsec-performance

[ipsec-max-workqueue-items <1024-10240>]

[anti-replay window-size {32 | 64 | 128 | 256 | 512 | 1024 | 2048 | <p>4096}]

[cookie_threshold <number>]

ipsec-max-workqueue-items: You can set the size of the work queue to any value from 1024 to 10240.

anti-replay window-size: The firewall keeps track of which packets it has seen during decryption, according to the limit set, to prevent replay attacks. Default: 1024.

cookie_threshold: Cookie validation is always on. The feature's only available for IKEv2. When the number of simulatenous half-SAs exceeds the cookie threshold, the responder sends a cookie request to initiators to protect from DoS attacks. Default: 30