Device console
This page describes the CLI console and the various commands available in the base console.
Warning
If you run an incomplete command, the access_server daemon may stop responding. To resolve the issue, run a file system integrity check using the fsck-on-nextboot
command and restart the firewall. See system.
The device console is used to perform various checks on the system and to view logs files for troubleshooting.
When using the command line, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.
You can see the usage of some CLI commands in the web admin console. See Object usage.
Sophos Firewall has inbuilt help at the command prompt itself to help users with the syntax without the need to exit from the CLI.
To view the list of available commands go to Option 4 (Device Console) and press Tab. The following is displayed:
clear ping telnet
disableremote ping6 telnet6
dnslookup set traceroute
dnslookup6 show traceroute6
drop-packet-capture system
enableremote tcpdump
Once you start typing a command you can press Tab again to view the list of arguments that are supported or required. Example: When you type ping and press Tab, you are presented with the list of parameters that are required or allowed as shown below:
ping
<ipaddress> count quiet sourceip
<string> interface size timeout
Type the command and then press ?
to view the list of arguments supported with descriptions. Example: when you type ping and press ?
, all parameters are shown with descriptions.
ping
quiet display the summary at startup and end
count Stop after sending count packets
size Number of data bytes to be sent
timeout timeout 'in seconds' before ping exits
interface Bind interface
sourceip Bind source ipaddress
<ipaddress> A.B.C.D (0 <= A,B,C,D < 256)
<string> Alpha-Numeric TEXT with/without quotes
To return to the main menu, type exit
.
Below you will find a list of CLI commands and descriptions of their functions.
set
Use set to configure various system parameters. For further information on the available parameters see set.
system
Use system to configure various settings. For further information on the available options see system.
clear
Clears the screen.
disableremote
Disables remote connectivity over SSH, if enabled. By default it is not enabled. The appliance will no longer listen on port 22 for new connections, and existing ones will be terminated. Refer to enableremote to allow remote SSH connections.
dnslookup
Query internet domain name servers to resolve hostnames.
Parameter list & description
Syntax | Description |
---|---|
Host ipaddress Host url | Host to be searched. |
Server ipaddress [host] | Internet name or address of the name server. |
dnslookup6
Query internet domain name servers to resolve IPv6 hostnames.
Parameter list and description
Syntax | Description |
---|---|
Host ipaddress Host url | Host to be searched. |
Server ipaddress [host] | Internet name or address of the name server. |
drop-packet-capture
Displays the packets dropped by firewall rules. It will provide connection details and details of the packets processed by the device. This will help administrators to troubleshoot firewall rules. You can also filter the dropped packets.
You can combine expressions using the logical operators and
, or
, and not
. Make sure to use different combinations within a single quote.
Example
drop-packet-capture 'host 10.10.10.1 and port not 22'
This command doesn't help troubleshoot application-level issues.
Syntax | Description |
---|---|
<text> | BPF (Berkeley Packet Filter) Compatible Packet Filter Expression. |
interface <interface> | Listen on this interface. |
snaplen <20-65535> | Number of bytes to capture. |
How to check packets of the | Syntax | Example |
---|---|---|
Specific host | drop-packet-capture 'host <IP address>' | drop-packet-capture 'host 10.10.10.1' |
Specific source host | drop-packet-capture 'src host <IP address>' | drop-packet-capture 'src host 10.10.10.1' |
Specific destination host | drop-packet-capture 'dst host <IP address>' | drop-packet-capture 'dst host 10.10.10.1' |
Specific network | drop-packet-capture 'net <network address>' | drop-packet-capture 'net 10.10.10.0' |
Specific source network | drop-packet-capture 'src net <network address>' | drop-packet-capture 'src net 10.10.10.0' |
Specific destination network | drop-packet-capture 'dst net <network address>' | drop-packet-capture 'dst net 10.10.10.0' |
Specific port | drop-packet-capture 'port <port number>' | drop-packet-capture 'port 20' |
Two specific ports | drop-packet-capture 'port <port number> or port <port number>' | drop-packet-capture 'port 20 or port 21' |
Specific source port | drop-packet-capture 'src port <port number>' | drop-packet-capture 'src port 21' |
Specific destination port | drop-packet-capture 'dst port <port number>' | drop-packet-capture 'dst port 21' |
Specific host for a specific port | drop-packet-capture 'host <IP address> and port <port number>' | drop-packet-capture 'host 10.10.10.1 and port 21' |
Specific host for all ports except SSH | drop-packet-capture 'host <IP address> and port not <port number>' | drop-packet-capture 'host 10.10.10.1 and port not 22' |
Specific protocol | drop-packet-capture 'proto <protocol>' |
|
ARP protocol | drop-packet-capture '<arp protocol>' | drop-packet-capture 'arp' |
Specific interface | drop-packet-capture interface <interface> | drop-packet-capture interface Port1 |
Specific interface and port | drop-packet-capture interface <interface> 'port <port number>' | drop-packet-capture interface Port1 'port 21' |
enableremote
Allows remote SSH connections to Sophos Firewall. The appliance will listen for SSH connections on the specified port and will allow connections from the specified addresses.
Syntax | Description |
---|---|
port number | Ethernet port on the appliance through which a remote SSH can be established. |
serverip ipaddress | Host IP address from which SSH connections to the appliance will be allowed. |
ping
Sends ICMP ECHO_REQUEST packets to IPv4 network hosts and listens for the corresponding ECHO_REPLY.
Syntax | Description |
---|---|
ipaddress | IP Address to be pinged. |
string | Domain to be pinged. |
count number | Send a specific number of packets. Ping will stop after the count number is reached. |
interface interfaceid | Set the interface on Sophos Firewall to send packets from. |
quiet | Display a summary only at start and end of the ping sequence. |
size number | Specifies the length, in bytes of the data field in the echo request messages sent. The default is 32. The maximum size is 65,527. |
sourceip ipaddress | Specifies the source IP address packets will be sent from. |
timeout number | Stop sending packets and exit from ping after specified time is reached. |
ping6
Send ICMPv6 ECHO_REQUEST packets to IPv6 network hosts and listens for the corresponding ECHO_REPLY.
Syntax | Description |
---|---|
ipaddress6 | IPv6 address to be pinged. |
count number | Send a specific number of packets. Ping will stop after count number is reached. |
interfaceinterfaceid | Set the interface on Sophos Firewall to send packets from. |
quiet | Display a summary only at start and end of the ping sequence. |
size number | Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data. |
tcpdump
Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
Syntax | Description |
---|---|
text | Packet filter expression. Based on the specified filter, packets are dumped. If no expression is given, all packets are dumped otherwise only packets for which the expression is true are dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. Refer to the below example table on writing filtering expressions. |
count number | Exit tcpdump after receiving specified number of packets. |
filedump | Tcpdump output can be generated based on criteria required. The output file can be found under /tmp . |
hex | Print each packet (minus its link level header) in hexadecimal notation. |
interface interfaceid | Specifies the interface to listen on. |
llh | View packet contents with ethernet or other layer 2 header information. |
no_time | Do not print a timestamp for each dump line. |
quite | Print less protocol information so that output lines are shorter. |
verbose | Verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum. |
Below you will find some examples of how to use the tcpdump command to view different information.
Note
Expressions can be combined using logical operators AND, OR and NOT. Make sure when using different combinations to encapsulate the full query within single quotes.
How to view traffic of | tcpdump command | Example |
---|---|---|
Specific host | tcpdump 'host <ipaddress>' | tcpdump 'host 10.10.10.1' |
Specific network | tcpdump 'net <network address>' | tcpdump 'net 10.10.10.0' |
Specific source network | tcpdump 'src net <network address>' | tcpdump 'src net 10.10.10.0' |
Specific destination network | tcpdump 'dst net <network address>' | tcpdump 'dst net 10.10.10.0' |
Specific port | tcpdump 'port <portnumber>' | tcpdump 'port 21' |
Specific source port | tcpdump 'src port <port number\>' | tcpdump 'src port 21' |
Specific destination port | tcpdump 'dst port <port number>' | tcpdump 'dst port 21' |
Specific host and specific port | tcpdump 'host <ipaddress> and port <port number>' | tcpdump 'host 10.10.10.1 and port 21' |
Specific host and all ports except SSH | tcpdump 'host <ipaddress> and port not <port number>' | tcpdump 'host 10.10.10.1 and port not 22' |
Specific protocol | tcpdump 'proto <protocol name>' |
|
Specific interface | tcpdump interface <interface id> | tcpdump interface port2 |
Specific port on a specific interface | tcpdump interface <interface id> 'port <port number>' | tcpdump interface port2 'port 21' |
telnet
Use telnet to connect to another remote computer. Can be used to check if a system is accepting connections on a specific port. Telnet data is sent in clear text so for admin tasks it is advised to use SSH when possible.
Syntax | Description |
---|---|
ipaddress port number | FQDN, alias or IP address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used. |
telnet6
Use telnet6 to connect via telnet to an IPv6 addressed system
Syntax | Description |
---|---|
ipv6address port number | FQDN, alias or IPv6 address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used. |
traceroute
Traceroute traces the path packets take from an IPv4 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.
Syntax | Description |
---|---|
<ipaddress> | Specifies the destination IP address to trace the route to. |
<string> | Specifies the domain to trace the route to. |
first-ttl | Sets the initial time to live used in the first outgoing packet. |
icmp | Use ICMP ECHO instead of UDP datagrams. |
max-ttl | Specifies the maximum time to live of packets. |
no-frag | Sets the don't fragment bit in the sent packets. |
probes | Probes are sent at each ttl. Default value is 3. |
source | Sets the specified IP address as the source address of sent packets. |
timeout | Sets the timeout in seconds for a response to a probe. Default is 5. |
tos | For IPv4, set the Type of Service (TOS) and Precedence value. Useful values are 16 (low delay) and 8 (high throughput). |
traceroute6
Traceroute6 traces the path packets take from an IPv6 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.
Syntax | Description |
---|---|
<ipv6address> | Specifies the destination IPv6 address to trace the route to. |
<string> | Specifies the domain to trace the route to. |
first-ttl | Sets the initial time to live used in the first outgoing packet. |
icmp | Use ICMP ECHO instead of UDP datagrams. |
max-ttl | Specifies the maximum time to live of packets. |
no-frag | Sets the don't fragment bit in the sent packets. |
probes | Probes are sent at each ttl. Default value is 3. |
source | Sets the specified IP address as the source address of sent packets. |
timeout | Sets the timeout in seconds for a response to a probe. Default is 5. |
tos | Sets the type of service. For IPv6, this is referred to as the Traffic Control value. |
show
Enter the following command: show <setting>
Example: show advanced-firewall
You can see the settings for the following configurations:
Syntax | Description |
---|---|
advanced-firewall | Displays the currently configured advanced firewall parameters. For a full explanation of parameters please refer to set |
arp-flux | Shows if arp-flux is currently turned on or off. |
| Use the ip2address > ipaddress option to find the country that hosts a specific IP address. Use the list parameter to list the stored IP addresses and the country that hosts them. |
fqdn-host | Displays the configured parameters for:
|
http_proxy | Displays the configured parameters for the HTTP proxy. Defaults:
|
interface-speedinterfaceid | Shows the current network speed over the specified interface. |
interfaces | Shows details of interfaces on the appliance including logical interfaces. |
ips-settings | Displays the currently configured IPS settings and running instances. |
| Lists the IPS signatures, by numeric ID, currently configured. Alert will show signatures configured to alert when triggered. Disable will show the signatures currently disabled. Drop will show the signatures currently configured to drop traffic when triggered. |
ips_conf | Shows the current IPS configuration. |
lag-interfaceinterfaceid | Shows details of the specified LAG interface. |
lanbypass | Shows the current lanbypass configuration. In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there's a power failure or hardware malfunction. |
license_status | Shows if the license is active or not and if it's synchronized. |
logs {log file} [lines] {number} | Shows the file's latest logs based on the specified number of lines. |
macaddrinterfaceid | Displays the MAC address of the specified interface. |
mtu-mssinterfaceid | Shows the current configured MTU of the specified interface, default MTU 1500 MSS 1460. |
| Shows the nat policy settings, enabled or disabled, for the protected application servers. |
network | Shows various configured network parameters according to the filters used. |
on-box-reports | Shows whether on-box reports are turned on or turned off. |
report-disk-usage watermark | Shows the percentage threshold for warning of space usage in the report partition. Default: 70 |
routing policy-based-ipsec-vpn system-generate-traffic | Shows if policy-based IPsec VPN routes for system-generated traffic are turned on or off. Default: |
static-route | Displays all current IPv4 static routes. |
static-route6 | Displays all current IPv6 static routes. |
support_access | Shows if support access is turned on or off. If it's turned on, it shows the access ID and the access duration. |
vpn ipsec-performance | Shows the ipsec-performance settings, such as ipsec_max_workqueue_items and use-resolved-ip-address . |
More resources