Skip to content


The system command allows the configuration of a range of system parameters.

Syntax description

system main-command option [arguments] {user defined input} <ranges>


Allows you to view air gap status and turn air gap functionality on and off.

Syntax Description
[enable] Use to enable air gap functionality.
[disable] Use to disable air gap functionality.
[show] Displays the current air gap configuration.


Allows you to override or bypass the configured device access settings and allow access to all the Sophos Firewall services.

Syntax Description
[disable] Disables appliance access. Disable is the default setting.
[enable] Enables appliance access.
[show] Displays the current appliance access status.


You must turn this option on only for short periods when emergency access is required. It causes all the ports to accept incoming traffic, including legacy services such as telnet. You must turn it off once full access to the firewall has been restored.


Controls how the firewall categorizes applications.


Don't change these settings unless directed by Sophos Support.

Syntax Description
[off | on | show] Default: On
microapp-discovery [off | on | show]

If you turn on microapp-discovery, traffic will be interrupted as some services restart.

Default: Off


Sets authentication parameters for STAS, terminal services, thin client, and maximum live user settings.

Syntax Description
cta [add | delete] [IP-Address] {IP address} You can use CTA when you configure STAS authentication.
max-live-users [show | set] <8192-32768>

For max live users, the available values are 8192 to 32768.

Use the show command to see the current values.

thin-client [add | delete | show] [citrix-ip] {IP Address} Thin client is used for authentication within a Citrix environment.


Auto reboot on hang determines how the system behaves if the kernel stops responding.

Syntax Description
[disable | enable | show] Default: enabled.


Allows setting of various parameters for bridged interfaces.

Syntax Description
bypass-firewall-policy [unknown-network-traffic] [allow | drop | show] [dynamic | static] Use the bypass-firewall-policy command to configure a policy for non-routable traffic for which no security policy is applied.
static-entry [add | delete | show] [interface] {interface ID} [bridge name] [Port] {PortID} [macaddr] {MAC Address} [priority] [dynamic | static] Use the static-entry command to configure static MAC addresses in bridge mode. The bridge forwarding table stores all the MAC addresses learned by the bridge and is used to determine where to forward packets.
max_bridge_members [reset | set] [limit] <2-256>[show] Use the max_bridge_members command to set the maximum number of interfaces allowed for a bridged interface. Available values are 2 to 256.


Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal using the WAN or VPN interfaces. The CAPTCHA is always active for the SPX portal and can't be turned off.

If you use this command to turn off the CAPTCHA, it overrides the VPN-specific setting. We recommend that you turn this setting on and only turn the CAPTCHA off for VPN users using the VPN-specific command, captcha_authentication_VPN.

Signing in from a LAN interface doesn't require a CAPTCHA.


If you use the same port for SSL VPN and the user portal, the CAPTCHA won't appear for the user portal.

We strongly recommend using a unique port for each service. This ensures secure access to the user portal. See SSL VPN global settings.

Syntax Description
[disable | enable | show] for [webadminconsole | userportal] Default: Enabled


Allows you to turn on or turn off CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal. The CAPTCHA is always active for the SPX portal and can't be turned off.

Administrators signing in to the web admin console and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on Sophos Firewall and not on an external authentication server, such as an AD server.

XG 85 and XG 85w devices don't show the CAPTCHA.


If you use the same port for SSL VPN and the user portal, the CAPTCHA won't appear for the user portal.

We strongly recommend using a unique port for each service. This ensures secure access to the user portal. See SSL VPN global settings.

Syntax Description
[disable | enable | show] for [webadminconsole | userportal] Default: Disabled

If you configured a site-to-site IPsec connection with the remote subnet set to Any, the CAPTCHA applies to all these tunnels. Add these to an IPsec route to ensure the CAPTCHA doesn't apply to specific remote hosts or networks. For <mytunnel>, select from the names of the original IPsec connections shown on the command-line interface.

Examples of commands to add a remote host or network are as follows:


Remote host: console> system ipsec_route add host tunnelname mytunnel

Remote network: console> system ipsec_route add net tunnelname mytunnel


Allows you to turn on or turn off the cellular WAN and view any Wi-Fi modem information if connected. The cellular WAN menu is available in the web admin console after you've turned it on from the CLI.


The QMI command only applies to Sierra modems. QMI mode for non-Sierra modems is already supported.

Syntax Description
[disable | enable] query [serialport] {serial port number} [ATcommand] {command string} set [disconnect-on-systemdown] [off | on] modem-setup-delay {numerical value}

When using the modem-setup-delay command, the numerical value is the number of seconds that you wish to delay the modem coming online.

When using AT commands, all valid AT commands are accepted.

qmi-mode [enable] [disable] Turn on or turn off QMI mode for Sierra modems.


Allows you to add top users to generated PDF reports.

Syntax Description
[disable | enable | show] You can enable or disable this feature and show the current setting.


Sophos Firewall supports the configuration of DHCP options, as defined in RFC 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix A provides a list of DHCP options by RFC-assigned option number.

Syntax Description
conf-generation-method [new | old] [show]

Method of generating the backend DHCP configuration file.

You require the new file format if you've bound a MAC address in more than one DHCP server configuration. The old method may provide incorrect information, such as for DNS servers and gateway.

Default: old

dhcp-relay-refresh-interval [show | set] [seconds] <10-10000> Use dhcp-relay-refresh-interval to set the time in seconds for refresh packets to be sent. Available options, 10-1000. Default: 10
dhcp-options [add | delete | show] [optioncode] <1-65535> [optionname] [binding] [dhcpname] Use dhcp-options to assign properties from the DHCP server to the clients. Example: Set a DNS server address.
lease-over-IPSec [disable | enable | show] Use lease-over-IPSec to specific how DHCP leases are handled for IPsec connections. Default: disable.
one-lease-per-client [disable | enable | show] Default: disable
send-dhcp-nak [disable | enable | show] Default: enable
static-entry-scope [global | network | show] Default: network


Sophos Firewall supports the configuration of DHCPv6 options, as defined in RFC 3315. DHCPv6 options allow you to specify additional DHCPv6 parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCPv6 message. When the DHCPv6 message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix B provides a list of DHCPv6 options by RFC-assigned option number.

Syntax Description
dhcpv6-options [add | delete] [optioncode] <1-65535> [optionname] [list] [binding] [add | delete] [dhcpname] [show] Available values for optioncode are 1 to 65535.


Use this command to configure discover mode on one or more interfaces.

Syntax Description
tap [add | delete | show] [Port] Add and delete discover mode for the specified ports or show current ports that have discover mode configured.


Diagnostics allows you to view and set various system parameters for troubleshooting purposes.

Syntax Description
ctr-log-lines <250-10000> [traceroute | traceroute6]

Sets the number of lines to show in the log files in the Consolidated troubleshooting report (CTR). See Troubleshooting logs and CTR.

Available range: 250 to 10000

Default: 10000

purge-all-logs Purges all log files. The empty files remain in the folder.
purge-old-logs Purges all compressed (.gz) log files.
selftest Runs basic tests to validate the network interface card. This command is only applicable to XGS devices.
show [cpu | interrupts | syslog | version-info | ctr-log-lines | memory | sysmsg | disk | subsystem-info | uptime] Use diagnostics to view the current status of various systems such as CPU and memory usage.
show version-info Shows the firewall's serial number, device ID, appliance model, and version information.
subsystems [Access-Server] [Bwm | CSC | IPSEngine | LoggingDaemon | MTA | Msyncd | POPIMAPDaemon | Pktcapd | SMTPD | SSLVPN | SSLVPN-RPD | WebProxy] [debug | purge-log | purge-old-log] When you use subsystems, configure each subsystem individually.
utilities [arp | bandwidthmonitor | connections | dnslookup | dnslookup6 | drop-packet-capture | netconf | netconf6 | ping | ping6 | process-monitor | route | route6 | traceroute | traceroute6] Utilities provides a number of systems to help with troubleshooting.


Use dos-config to configure denial of service (DoS) policies and rules. You can turn on flood protection for SYN, UDP, ICMP, and IP packet types by configuring the maximum packets per second to be allowed per source, per destination, or globally. If the traffic exceeds the limit, the device considers it an attack.

DOS policy configuration:

Syntax Description
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src]

The packets per second (PPS) value options are 1 to 10000 packets.

IP flood: You can only configure IP flood through the device console. It isn't available in the web admin console. If you turn on IP flood, the Applied column in Intrusion prevention > DoS attacks will still show as No. This is expected behavior.

Using per-src: You can configure packets per second (PPS) allowed from a single source. If more packets come from a single source, Sophos Firewall drops the packets. The limit applies to individual source requests per user or IP address.

Using per-dest: You can configure packets per second (PPS) allowed to a single destination. The limit applies to individual destination requests per user or IP address.

Using global: Apply the limit on the entire network traffic regardless of source and destination requests. This setting doesn't apply to the counters shown in Intrusion prevention > DoS attacks.

With the per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users, then each user is allowed a packet rate of 2500 packets per second. If you select the global option, configure the limit as 2500 packets per second, and the network consists of 100 users, only 2500 packets per second are allowed for all traffic from all users.

DOS rule configuration:

Syntax Description
add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name] You can create a denial-of-service (DoS) rule to apply to all packet types or specific packet types within one command.

To delete a DoS rule or policy:

Syntax Description
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string] The string must be the name of your DoS rule or policy.

To flush or view DOS rules and policies, the following options are available:

Syntax Description
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string] The string must be the name of your DoS rule or policy.


The filesystem command enables you to enforce disk write permissions for the report partition.

Syntax Description
enforce-disk-write [partition-name] [report | enable | disable | show] Enable or disable disk write permissions or show the current status. Default: enabled.

Acceleration options


Use firewall-acceleration to enable advanced data-path architecture, allowing faster processing of data packets for known traffic.

Use firewall-acceleration to offload trusted traffic to FastPath, freeing the CPU for resource-intensive processes.

Syntax Description
[disable | enable | show] Turns firewall acceleration on or off and shows the current status. Default: enabled.

PKI acceleration

See PKI acceleration.


Turn on or turn off IPsec SA offloading from SlowPath. When turned on, the firewall offloads IPsec encryption and decryption based on the phase 2 Security Associations (SA). It offloads SAs for most of the encryption and authentication combinations available on Sophos Firewall. See "IPsec acceleration" in Architecture for offloading.


The firewall doesn't offload the following SAs:

  • 3DES
  • BLowFish
  • MD5
Syntax Description
[disable | enable | show] Turns SA offloading on or off and shows the current status of IPsec acceleration. Default: enabled.


Check the file system integrity of all the partitions. Turning this option on forcefully checks the file system integrity on the next device restart. This check is automatically turned on if the device goes into failsafe mode. The device can go into failsafe mode for the following reasons:

  • Unable to start config, report, or signature database.
  • Unable to apply migration.
  • Unable to find the deployment mode.
Syntax Description
[off | on | show] Turn integrity checking on or off for the next restart or show the current configuration. Default: off.


Using gre, you can configure, delete, set TTL and status for gre tunnels. You can also view route details like tunnel name, local gateway network and netmask, and remote gateway network and netmask.

Syntax Description
route [add | del | <p>show] [ipaddress] [network/netmask] [tunnelname][local-gw] [WAN Address] [remote-gw] [remote WAN ipaddress] [local-ip] [ipaddress] [remote-ip] [ipaddress]

tunnel [add | del | show] [ALL | name] [tunnelname] [local-gw] [port] [remote-gw] [ipaddress/netmask] [local-ip] [ipaddress] [remote-ip] [ipaddress] [name] [local-gw] [Port] [remote-gw] [network/netmask]

When using route and adding or deleting a host IP address type the IP address. Example,

When you add or delete a network, type the network IP and subnet mask. Example,

For name, type the tunnel name.

When using tunnel to add or delete a new tunnel, tunnelname must be the name you want to give to the tunnel.


Allows configuration of certain HA parameters.

Syntax Description
auxiliary_system_traffic_through_dedicated_link [all] [none] [only_dynamic_interface] [show] load-balancing [on] [off] [show]

Use auxiliary_system_traffic_through_dedicated_link to configure routing for system traffic sent by the auxiliary firewall. The default setting passes all traffic over the dedicated link.

Load balancing can be turned on or off. When turned on, traffic is balanced between the firewalls.

Show displays the current HA configuration


Allows the firewall to automatically install hotfixes when they become available. The firewall looks for hotfixes every 30 minutes. By default, it installs hotfixes automatically. We recommend you don't change this setting.


The installed hotfixes remain when you upgrade the firmware.

Syntax Description
[enable | disable | show] Turn automatic installation of hotfixes on or off. Default: enable.


Provides options for configuring IPsec routing.

Syntax Description
add [host | <p>net] [ipaddress/netmask] [tunnelname] [string]

del [host | <p>net] [ipaddress/netmask] [tunnelname] [string]


Add or delete IPsec routes by host or network or show the configured routes.

ips full-signature-pack

Turn on or turn off full IPS signature pack download during pattern updates. It may affect performance. This setting only applies if the appliance has a minimum of 32 GB RAM.

Syntax Description
enable Turn on full IPS signature pack download during pattern updates.
disable Turn off full IPS signature pack download during pattern updates.
show Show the status of ips full-signature-pack.

You can configure a VPN as a backup link. Traffic is sent through the the VPN connection whenever the primary link fails.

Syntax Description
add [primarylink] [portname] [backuplink] [vpn] [gre] [tunnel] [tunnelname] [monitor PING host] [monitor TCP host] [ipaddress] [portnumber] You can configure failover to use a VPN or GRE tunnel. When you use TCP host monitoring, you'll need to specify the TCP port to monitor. If you use ping monitoring the monitoring port isn't required.


Restart Sophos Firewall.

Syntax Description
[all] Restarts Sophos Firewall. If you configure this in HA, it causes a failover.


Sets routing precedence. By default, the route lookup precedence is as follows:

  1. Static
  2. SD-WAN
  3. VPN
Syntax Description

set [sdwan_policyroute] [static] [vpn]


SSL VPN connections belong to the static route category. See Routing.

Use show to see the current configuration.


Shut down Sophos Firewall. There are no further options to use with this command.


Allows you to change synchronized security behavior. You can specify whether to send the heartbeat to Sophos Central. At times, synchronized security may stop you from registering or deregistering Sophos Firewall with Sophos Central. To prevent this, you can clear the synchronized security configuration.

Syntax Description
delay-missing-heartbeat-detection [set | show] [seconds] Sets the time to wait before moving the endpoint to missing heartbeat status. Use this when there are frequent adapter changes (for example, when switching between Wi-Fi and LAN connections).

Range: 30 to 285, in multiples of 15.

Default: 60
suppress-missing-heartbeat-to-central [set | show] [seconds] Sets the time to wait before Sophos Firewall reports the missing heartbeat status to Sophos Central. We recommend using this option if endpoints are expected to frequently sleep, hibernate, shut down, or wake up.

Range: 0 to 120

Default: 0
central_registration [deregister] Clears the synchronized security configuration with Sophos Central.


Load or unload the following system modules;

  • dns
  • h323
  • irc
  • pptp
  • sip
  • tftp

By default, system modules are loaded.

Syntax Description
dns [load | unload] DNS: The DNS module learns the subdomains of non-local DNS traffic.
h323 [load | unload] H323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the internet.
pptp [load | unload] PPTP: Point to Point Tunneling Protocol is a network protocol that enables the secure transfer of data from a remote client to a private server, creating a point-to-point VPN tunnel using a TCP/IP-based network.
irc [load | unload] [port] [portname] [default] IRC: Internet Relay Chat is a multi-user, multi-channel chatting system based on a client-server model. A single server links with many other servers to make up an IRC network, which transports messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it's an open network, and performance is affected with no control over file sharing.
sip [load | unload] [portname] [default] SIP: Session Initiation Protocol is a signaling protocol which enables the controlling of media communications such as VoIP. The protocol is generally used to maintain unicast and multicast sessions of several media systems. SIP is a text-based and TCP / IP-supported application layer protocol.
tftp [load | unload] [portname] [default] [show] TFTP: Trivial File Transfer Protocol is a simple form of the file transfer protocol (FTP). TFTP uses the user datagram protocol (UDP) and provides no security features.


Manage the waiting period for detecting the readiness of the USB drive.

Use this option when using firewall provisioning or zero-touch configuration to set up the firewall.

Syntax Description
set [number] [show]

Set the value in seconds that you wish to wait before USB devices are detected.

Available values are 1 to 15. The default is 3.


Set VLAN tags for VLAN traffic passing through Sophos Firewall.

Syntax Description

set [interface] [interfacename] [vlanid] [number]

reset [interface] [interfacename] [reset]

Use these commands to set and reset VLAN IDs for an interface or to show the current configuration.

Available VLAN IDs: 0 to 4094.


You can configure all VLAN tagging, including for bridge interfaces, from the web admin console. If you've previously configured VLAN tags for a bridge interface from the CLI, we recommend you delete the configuration and set the tags in the web admin console instead.


The wireless-controller settings let you configure parameters for attached access points, including troubleshooting features.

Syntax Description

ap_localdebuglevel [get] [set] [number]

global [ap_autoaccept] [value] [ap_debuglevel] [number] [log_level] [number] [radius_accounting_start_delay] [number] [show] [stay_online] [number] [store_bss_stats] [number] [tunnel_id_offset] [number]

Use the ap_localdebuglevel and ap_debuglevel commands to configure the debugging level the device will use when logging.

The level parameter must be between 0 (lowest) and 15 (highest).

You can view the current debug level using the get parameter.

The log_level parameter configures the logging level the device will use. When an event is logged, it's printed into the corresponding log if the message's log level is equal to or more than the configured log level. The level parameter must be between 0 (lowest) and 7 (highest).

The radius_accounting_start_delay parameter sets the delay to start the 802.1x accounting for the Wi-Fi client. You can set the delay depending on the DHCP response time. You can set a value from 0 to 60 seconds. This allows the Wi-Fi client to receive the IP address first and then start the accounting. The Wi-Fi SSO uses the framed IP address from the accounting start message and allows the user to sign in to Sophos Firewall.

Available values for ap_autoaccept, stay_online and store_bss_stats are, 0 (off) or 1 (on).

The tunnel_id_offset parameter value must be from 0 (lowest) to 65535 (highest).

remote_pktcap [disable | enable | show] [AP serial number] The remote_pktcap command captures packets on access points when a packet capture is running. To start packet capturing, the value of the ap_debuglevel parameter must be equal to or greater than 4.
set_channel_width [Wi-Fi interface name] [band] [Wi-Fi band] [channel_width] [number]

You can choose Wi-Fi band 2.5GHz or 5GHz.

Available channel widths are 20 and 40 for 2.5GHz, and 20, 40, or 80 for 5GHz.