system
The system command allows the configuration of a range of system parameters.
Syntax description
system main-command option [arguments] {user defined input} <ranges>
airgap
Allows you to view air gap status and turn air gap functionality on and off.
Syntax | Description |
---|---|
[enable] | Use to enable air gap functionality. |
[disable] | Use to disable air gap functionality. |
[show] | Displays the current air gap configuration. |
appliance_access
Allows you to override or bypass the configured device access settings and allow access to all the Sophos Firewall services.
Syntax | Description |
---|---|
[disable] | Disables appliance access. Disable is the default setting. |
[enable] | Enables appliance access. |
[show] | Displays the current appliance access status. |
Warning
You must turn this option on only for short periods when emergency access is required. It causes all the ports to accept incoming traffic, including legacy services such as telnet. You must turn it off once full access to the firewall has been restored.
application_classification
Controls how the firewall categorizes applications.
Warning
Don't change these settings unless directed by Sophos Support.
Syntax | Description |
---|---|
[off | on | show] | Default: On |
microapp-discovery [off | on | show] | If you turn on Default: |
auth
Sets authentication parameters for STAS, terminal services, thin client, and maximum live user settings.
Syntax | Description |
---|---|
cta [add | delete] [IP-Address] {IP address} | You can use CTA when you configure STAS authentication. |
max-live-users [show | set] <8192-32768> | For max live users, the available values are 8192 to 32768. Use the |
thin-client [add | delete | show] [citrix-ip] {IP Address} | Thin client is used for authentication within a Citrix environment. |
auto-reboot-on-hang
Auto reboot on hang determines how the system behaves if the kernel stops responding.
Syntax | Description |
---|---|
[disable | enable | show] | Default: enabled. |
bridge
Allows setting of various parameters for bridged interfaces.
Syntax | Description |
---|---|
bypass-firewall-policy [unknown-network-traffic] [allow | drop | show] [dynamic | static] | Use the bypass-firewall-policy command to configure a policy for non-routable traffic for which no security policy is applied. |
static-entry [add | delete | show] [interface] {interface ID} [bridge name] [Port] {PortID} [macaddr] {MAC Address} [priority] [dynamic | static] | Use the static-entry command to configure static MAC addresses in bridge mode. The bridge forwarding table stores all the MAC addresses learned by the bridge and is used to determine where to forward packets. |
max_bridge_members [reset | set] [limit] <2-256>[show] | Use the max_bridge_members command to set the maximum number of interfaces allowed for a bridged interface. Available values are 2 to 256. |
captcha-authentication-global
Allows you to enable or disable CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal using the WAN or VPN interfaces. The CAPTCHA is always active for the SPX portal and can't be turned off.
If you use this command to turn off the CAPTCHA, it overrides the VPN-specific setting. We recommend that you turn this setting on and only turn the CAPTCHA off for VPN users using the VPN-specific command, captcha-authentication-vpn
.
Signing in from a LAN interface doesn't require a CAPTCHA.
Syntax | Description |
---|---|
[disable | enable | show] for [webadminconsole | userportal] | Default: Enabled |
Example
Enable captcha: console> system captcha-authentication-global enable
Disable captcha: console> system captcha-authentication-global disable
Show captcha: console> system captcha-authentication-global show
captcha-authentication-vpn
Allows you to turn on or turn off CAPTCHA for administrators signing in to the web admin console and for local and guest users signing in to the user portal. The CAPTCHA is always active for the SPX portal and can't be turned off.
Administrators signing in to the web admin console and local and guest users signing in to the user portal from the WAN or VPN zones must enter a CAPTCHA. Local users are registered on Sophos Firewall and not on an external authentication server, such as an AD server.
Syntax | Description |
---|---|
[disable | enable | show] for [webadminconsole | userportal] | Default: Disabled |
Example
Enable captcha: console> system captcha-authentication-vpn enable
Disable captcha: console> system captcha-authentication-vpn disable
Show captcha: console> system captcha-authentication-vpn show
If you configured a site-to-site IPsec connection with the remote subnet set to Any, the CAPTCHA applies to all these tunnels. Add these to an IPsec route to ensure the CAPTCHA doesn't apply to specific remote hosts or networks. For <mytunnel>
, select from the names of the original IPsec connections shown on the command-line interface.
Examples of commands to add a remote host or network are as follows:
Example
Remote host: console> system ipsec_route add host 50.50.50.1 tunnelname mytunnel
Remote network: console> system ipsec_route add net 10.10.10.0/255.255.255.0 tunnelname mytunnel
cellular_wan
Allows you to turn on or turn off the cellular WAN and view any Wi-Fi modem information if connected. The cellular WAN menu is available in the web admin console after you've turned it on from the CLI.
Restriction
The QMI command only applies to Sierra modems. QMI mode for non-Sierra modems is already supported.
Syntax | Description |
---|---|
[disable | enable] query [serialport] {serial port number} [ATcommand] {command string} set [disconnect-on-systemdown] [off | on] modem-setup-delay {numerical value} | When using the When using AT commands, all valid AT commands are accepted. |
qmi-mode [enable] [disable] | Turn on or turn off QMI mode for Sierra modems. |
custom-feature
Allows you to add top users to generated PDF reports.
Syntax | Description |
---|---|
[disable | enable | show] | You can enable or disable this feature and show the current setting. |
dhcp
Sophos Firewall supports the configuration of DHCP options, as defined in RFC 2132. DHCP options allow you to specify additional DHCP parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix A provides a list of DHCP options by RFC-assigned option number.
Syntax | Description |
---|---|
conf-generation-method [new | old] [show] | Method of generating the backend DHCP configuration file. You require the new file format if you've bound a MAC address in more than one DHCP server configuration. The old method may provide incorrect information, such as for DNS servers and gateway. Default: |
dhcp-relay-refresh-interval [show | set] [seconds] <10-10000> | Use dhcp-relay-refresh-interval to set the time in seconds for refresh packets to be sent. Available options, 10-1000. Default: 10 |
dhcp-options [add | delete | show] [optioncode] <1-65535> [optionname] [binding] [dhcpname] | Use dhcp-options to assign properties from the DHCP server to the clients. Example: Set a DNS server address. |
lease-over-IPSec [disable | enable | show] | Use lease-over-IPSec to specific how DHCP leases are handled for IPsec connections. Default: disable. |
one-lease-per-client [disable | enable | show] | Default: disable |
send-dhcp-nak [disable | enable | show] | Default: enable |
static-entry-scope [global | network | show] | Default: network |
dhcpv6
Sophos Firewall supports the configuration of DHCPv6 options, as defined in RFC 3315. DHCPv6 options allow you to specify additional DHCPv6 parameters in the form of pre-defined, vendor-specific information stored in the options field of a DHCPv6 message. When the DHCPv6 message is sent to clients on the network, it provides vendor-specific configuration and service information. Appendix B provides a list of DHCPv6 options by RFC-assigned option number.
Syntax | Description |
---|---|
dhcpv6-options [add | delete] [optioncode] <1-65535> [optionname] [list] [binding] [add | delete] [dhcpname] [show] | Available values for optioncode are 1 to 65535. |
discover-mode
Use this command to configure discover mode on one or more interfaces.
Syntax | Description |
---|---|
tap [add | delete | show] [Port] | Add and delete discover mode for the specified ports or show current ports that have discover mode configured. |
diagnostics
Diagnostics allows you to view and set various system parameters for troubleshooting purposes.
Syntax | Description |
---|---|
ctr-log-lines <250-10000> [traceroute | traceroute6] | Sets the number of lines to show in the log files in the Consolidated troubleshooting report (CTR). See Troubleshooting logs and CTR. Available range: 250 to 10000 Default: 10000 |
purge-all-logs | Purges all log files. The empty files remain in the folder. |
purge-old-logs | Purges all compressed (.gz ) log files. |
selftest | Runs basic tests to validate the network interface card. This command is only applicable to XGS devices. |
show [cpu | interrupts | syslog | version-info | ctr-log-lines | memory | sysmsg | disk | subsystem-info | uptime] | Use diagnostics to view the current status of various systems such as CPU and memory usage. |
show version-info | Shows the firewall's serial number, device ID, appliance model, and version information. |
subsystems [Access-Server] [Bwm | CSC | IPSEngine | LoggingDaemon | MTA | Msyncd | POPIMAPDaemon | Pktcapd | SMTPD | SSLVPN | SSLVPN-RPD | WebProxy] [debug | purge-log | purge-old-log] | When you use subsystems , configure each subsystem individually. |
utilities [arp | bandwidthmonitor | connections | dnslookup | dnslookup6 | drop-packet-capture | netconf | netconf6 | ping | ping6 | process-monitor | route | route6 | traceroute | traceroute6] | Utilities provides a number of systems to help with troubleshooting. |
dos-config
Use dos-config
to configure denial of service (DoS) policies and rules. You can turn on flood protection for SYN, UDP, ICMP, and IP packet types by configuring the maximum packets per second to be allowed per source, per destination, or globally. If the traffic exceeds the limit, the device considers it an attack.
DOS policy configuration:
Syntax | Description |
---|---|
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src] | The packets per second (PPS) value options are 1 to 10000 packets.
Using per-src: You can configure packets per second (PPS) allowed from a single source. If more packets come from a single source, Sophos Firewall drops the packets. The limit applies to individual source requests per user or IP address. Using per-dest: You can configure packets per second (PPS) allowed to a single destination. The limit applies to individual destination requests per user or IP address. Using global: Apply the limit on the entire network traffic regardless of source and destination requests. This setting doesn't apply to the counters shown in Intrusion prevention > DoS attacks. With the per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users, then each user is allowed a packet rate of 2500 packets per second. If you select the global option, configure the limit as 2500 packets per second, and the network consists of 100 users, only 2500 packets per second are allowed for all traffic from all users. |
DOS rule configuration:
Syntax | Description |
---|---|
add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name] | You can create a denial-of-service (DoS) rule to apply to all packet types or specific packet types within one command. |
To delete a DoS rule or policy:
Syntax | Description |
---|---|
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string] | The string must be the name of your DoS rule or policy. |
To flush or view DOS rules and policies, the following options are available:
Syntax | Description |
---|---|
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string] | The string must be the name of your DoS rule or policy. |
filesystem
The filesystem command enables you to enforce disk write permissions for the report partition.
Syntax | Description |
---|---|
enforce-disk-write [partition-name] [report | enable | disable | show] | Enable or disable disk write permissions or show the current status. Default: enabled. |
Acceleration options
firewall-acceleration
Use firewall-acceleration to enable advanced data-path architecture, allowing faster processing of data packets for known traffic.
Use firewall-acceleration to offload trusted traffic to FastPath, freeing the CPU for resource-intensive processes.
Syntax | Description |
---|---|
[disable | enable | show] | Turns firewall acceleration on or off and shows the current status. Default: enabled. |
Warning
An outage occurs when you update firewall-acceleration. Plan your downtime accordingly.
PKI acceleration
See PKI acceleration.
ipsec-acceleration
Turn on or turn off IPsec SA offloading from SlowPath. When turned on, the firewall offloads IPsec encryption and decryption based on the phase 2 Security Associations (SA). It offloads SAs for most of the encryption and authentication combinations available on Sophos Firewall. See "IPsec acceleration" in Architecture for offloading.
Restriction
The firewall doesn't offload the following SAs:
- 3DES
- BLowFish
- MD5
Syntax | Description |
---|---|
[disable | enable | show] | Turns SA offloading on or off and shows the current status of IPsec acceleration. Default: enabled. |
fsck-on-nextboot
Warning
You must only use this command when recommended by Sophos Support. It helps resolve /sig, /conf, or /var partition mount errors on startup. If the firewall hardware or SSD isn't healthy, it can damage the file system.
Check the file system integrity of all the partitions. Turning this option on forcefully checks the file system integrity on the next device restart. This check is automatically turned on if the device goes into failsafe mode. The device can go into failsafe mode for the following reasons:
- Unable to start config, report, or signature database.
- Unable to apply migration.
- Unable to find the deployment mode.
Syntax | Description |
---|---|
[off | on | show] | Turn integrity checking on or off for the next restart or show the current configuration. Default: off. |
gre
Using gre
, you can configure, delete, set TTL and status for gre tunnels. You can also view route details like tunnel name, local gateway network and netmask, and remote gateway network and netmask.
Syntax | Description |
---|---|
route [add | del | <p>show] [ipaddress] [network/netmask] [tunnelname][local-gw] [WAN Address] [remote-gw] [remote WAN ipaddress] [local-ip] [ipaddress] [remote-ip] [ipaddress]
| When using When you add or delete a network, type the network IP and subnet mask. Example, 192.168.0.0/255.255.255.0 For name, type the tunnel name. When using |
ha
Allows configuration of certain HA parameters.
Syntax | Description |
---|---|
auxiliary_system_traffic_through_dedicated_link [all] [none] [only_dynamic_interface] [show] load-balancing [on] [off] [show] | Use Load balancing can be turned on or off. When turned on, traffic is balanced between the firewalls.
|
hotfix
Allows the firewall to automatically install hotfixes when they become available. The firewall looks for hotfixes every 30 minutes. By default, it installs hotfixes automatically. We recommend you don't change this setting.
Note
The installed hotfixes remain when you upgrade the firmware.
Syntax | Description |
---|---|
[enable | disable | show] | Turn automatic installation of hotfixes on or off. Default: enable. |
ipsec_route
Provides options for configuring IPsec routing.
Syntax | Description |
---|---|
add [host | <p>net] [ipaddress/netmask] [tunnelname] [string]
| Add or delete IPsec routes by host or network or show the configured routes. |
ips full-signature-pack
Turn on or turn off full IPS signature pack download during pattern updates. It may affect performance. This setting only applies if the appliance has a minimum of 32 GB RAM.
Syntax | Description |
---|---|
enable | Turn on full IPS signature pack download during pattern updates. |
disable | Turn off full IPS signature pack download during pattern updates. |
show | Show the status of ips full-signature-pack . |
link_failover
You can configure a VPN as a backup link. Traffic is sent through the the VPN connection whenever the primary link fails.
Syntax | Description |
---|---|
add [primarylink] [portname] [backuplink] [vpn] [gre] [tunnel] [tunnelname] [monitor PING host] [monitor TCP host] [ipaddress] [portnumber] | You can configure failover to use a VPN or GRE tunnel. When you use TCP host monitoring, you'll need to specify the TCP port to monitor. If you use ping monitoring the monitoring port isn't required. |
restart
Restart Sophos Firewall.
Syntax | Description |
---|---|
[all] | Restarts Sophos Firewall. If you configure this in HA, it causes a failover. |
route_precedence
Sets routing precedence. By default, the route lookup precedence is as follows:
- Static
- SD-WAN
- VPN
Syntax | Description |
---|---|
| SSL VPN connections belong to the static route category. See Routing. Use |
shutdown
Shut down Sophos Firewall. There are no further options to use with this command.
synchronized-security
Allows you to change synchronized security behavior. You can specify whether to send the heartbeat to Sophos Central. At times, synchronized security may stop you from registering or deregistering Sophos Firewall with Sophos Central. To prevent this, you can clear the synchronized security configuration.
Syntax | Description |
---|---|
delay-missing-heartbeat-detection [set | show] [seconds] | Sets the time to wait before moving the endpoint to missing heartbeat status. Use this when there are frequent adapter changes (for example, when switching between Wi-Fi and LAN connections). Range: 30 to 285, in multiples of 15. Default: 60 |
suppress-missing-heartbeat-to-central [set | show] [seconds] | Sets the time to wait before Sophos Firewall reports the missing heartbeat status to Sophos Central. We recommend using this option if endpoints are expected to frequently sleep, hibernate, shut down, or wake up. Range: 0 to 120 Default: 0 |
central_registration [deregister] | Clears the synchronized security configuration with Sophos Central. |
system_modules
Load or unload the following system modules;
- dns
- h323
- irc
- pptp
- sip
- tftp
By default, system modules are loaded.
Syntax | Description |
---|---|
dns [load | unload] | DNS: The DNS module learns the subdomains of non-local DNS traffic. |
h323 [load | unload] | H323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the internet. |
pptp [load | unload] | PPTP: Point to Point Tunneling Protocol is a network protocol that enables the secure transfer of data from a remote client to a private server, creating a point-to-point VPN tunnel using a TCP/IP-based network. |
irc [load | unload] [port] [portname] [default] | IRC: Internet Relay Chat is a multi-user, multi-channel chatting system based on a client-server model. A single server links with many other servers to make up an IRC network, which transports messages from one user (client) to another. In this manner, people from all over the world can talk to each other live and simultaneously. DoS attacks are very common as it's an open network, and performance is affected with no control over file sharing. |
sip [load | unload] [portname] [default] | SIP: Session Initiation Protocol is a signaling protocol which enables the controlling of media communications such as VoIP. The protocol is generally used to maintain unicast and multicast sessions of several media systems. SIP is a text-based and TCP / IP-supported application layer protocol. |
tftp [load | unload] [portname] [default] [show] | TFTP: Trivial File Transfer Protocol is a simple form of the file transfer protocol (FTP). TFTP uses the user datagram protocol (UDP) and provides no security features. |
usb-setup-delay
Manage the waiting period for detecting the readiness of the USB drive.
Use this option when using firewall provisioning or zero-touch configuration to set up the firewall.
Syntax | Description |
---|---|
set [number] [show] | Set the value in seconds that you wish to wait before USB devices are detected. Available values are 1 to 15. The default is 3. |
userportal-linkon-vpnportal
Shows or removes the user portal link on the VPN portal.
Syntax | Description |
---|---|
[enable] | Shows the user portal link on the VPN portal. |
[disable] | Removes the user portal link from the VPN portal. |
[show] | Shows if the user portal link appears on the VPN portal. |
vlan-tag
Set VLAN tags for VLAN traffic passing through Sophos Firewall.
Syntax | Description |
---|---|
| Use these commands to set and reset VLAN IDs for an interface or to show the current configuration. Available VLAN IDs: 0 to 4094. |
Note
You can configure all VLAN tagging, including for bridge interfaces, from the web admin console. If you've previously configured VLAN tags for a bridge interface from the CLI, we recommend you delete the configuration and set the tags in the web admin console instead.
wireless-controller
The wireless-controller settings let you configure parameters for attached access points, including troubleshooting features.
Syntax | Description |
---|---|
| Use the The level parameter must be between 0 (lowest) and 15 (highest). You can view the current debug level using the The The Available values for The |
remote_pktcap [disable | enable | show] [AP serial number] | The remote_pktcap command captures packets on access points when a packet capture is running. To start packet capturing, the value of the ap_debuglevel parameter must be equal to or greater than 4. |
set_channel_width [Wi-Fi interface name] [band] [Wi-Fi band] [channel_width] [number] | You can choose Wi-Fi band 2.5GHz or 5GHz. Available channel widths are 20 and 40 for 2.5GHz, and 20, 40, or 80 for 5GHz. |