Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Device console

This page describes the CLI console and the various commands available in the base console.

Warning

If you run an incomplete command, the access_server daemon may stop responding. To resolve the issue, run a file system integrity check using the fsck-on-nextboot command and restart the firewall. See system.

The device console is used to perform various checks on the system and to view logs files for troubleshooting.

When using the command line, the CLI console requires that you use valid syntax and conform to expected input constraints. It will reject invalid commands.

You can see the usage of some CLI commands in the web admin console. See Object usage.

Sophos Firewall has inbuilt help at the command prompt itself to help users with the syntax without the need to exit from the CLI.

To view the list of available commands go to Option 4 (Device Console) and press Tab. The following is displayed:

clear               ping            telnet
disableremote       ping6           telnet6
dnslookup           set             traceroute
dnslookup6          show            traceroute6
drop-packet-capture system
enableremote        tcpdump

Once you start typing a command you can press Tab again to view the list of arguments that are supported or required. Example: When you type ping and press Tab, you are presented with the list of parameters that are required or allowed as shown below:

ping
<ipaddress>    count       quiet       sourceip
<string>       interface   size        timeout

Type the command and then press ? to view the list of arguments supported with descriptions. Example: when you type ping and press ?, all parameters are shown with descriptions.

ping
quiet          display the summary at startup and end
count          Stop after sending count packets
size           Number of data bytes to be sent
timeout        timeout 'in seconds' before ping exits
interface      Bind interface
sourceip       Bind source ipaddress
<ipaddress>    A.B.C.D (0 <= A,B,C,D < 256)
<string>       Alpha-Numeric TEXT with/without quotes

To return to the main menu, type exit.

Below you will find a list of CLI commands and descriptions of their functions.

set

Use set to configure various system parameters. For further information on the available parameters see set.

system

Use system to configure various settings. For further information on the available options see system.

clear

Clears the screen.

disableremote

Disables remote connectivity over SSH, if enabled. By default it is not enabled. The appliance will no longer listen on port 22 for new connections, and existing ones will be terminated. Refer to enableremote to allow remote SSH connections.

dnslookup

Query internet domain name servers to resolve hostnames.

Parameter list & description

Syntax Description
Host ipaddress
Host url
Host to be searched.
Server ipaddress [host] Internet name or address of the name server.

dnslookup6

Query internet domain name servers to resolve IPv6 hostnames.

Parameter list and description

Syntax Description
Host ipaddress
Host url
Host to be searched.
Server ipaddress [host] Internet name or address of the name server.

drop-packet-capture

Displays the packets dropped by firewall rules. It will provide connection details and details of the packets processed by the device. This will help administrators to troubleshoot firewall rules. You can also filter the dropped packets.

You can combine expressions using the logical operators and, or, and not. Make sure to use different combinations within a single quote.

Example

drop-packet-capture 'host 10.10.10.1 and port not 22'

This command doesn't help troubleshoot application-level issues.

Syntax Description
<text> BPF (Berkeley Packet Filter) Compatible Packet Filter Expression.
interface <interface> Listen on this interface.
snaplen <20-65535> Number of bytes to capture.
How to check packets of the Syntax Example
Specific host drop-packet-capture 'host <IP address>' drop-packet-capture 'host 10.10.10.1'
Specific source host drop-packet-capture 'src host <IP address>' drop-packet-capture 'src host 10.10.10.1'
Specific destination host drop-packet-capture 'dst host <IP address>' drop-packet-capture 'dst host 10.10.10.1'
Specific network drop-packet-capture 'net <network address>' drop-packet-capture 'net 10.10.10.0'
Specific source network drop-packet-capture 'src net <network address>' drop-packet-capture 'src net 10.10.10.0'
Specific destination network drop-packet-capture 'dst net <network address>' drop-packet-capture 'dst net 10.10.10.0'
Specific port drop-packet-capture 'port <port number>' drop-packet-capture 'port 20'
Two specific ports drop-packet-capture 'port <port number> or port <port number>' drop-packet-capture 'port 20 or port 21'
Specific source port drop-packet-capture 'src port <port number>' drop-packet-capture 'src port 21'
Specific destination port drop-packet-capture 'dst port <port number>' drop-packet-capture 'dst port 21'
Specific host for a specific port drop-packet-capture 'host <IP address> and port <port number>' drop-packet-capture 'host 10.10.10.1 and port 21'
Specific host for all ports except SSH drop-packet-capture 'host <IP address> and port not <port number>' drop-packet-capture 'host 10.10.10.1 and port not 22'
Specific protocol drop-packet-capture 'proto <protocol>'

drop-packet-capture 'proto ICMP'

drop-packet-capture 'proto UDP'

drop-packet-capture 'proto TCP'

ARP protocol drop-packet-capture '<arp protocol>' drop-packet-capture 'arp'
Specific interface drop-packet-capture interface <interface> drop-packet-capture interface Port1
Specific interface and port drop-packet-capture interface <interface> 'port <port number>' drop-packet-capture interface Port1 'port 21'

enableremote

Allows remote SSH connections to Sophos Firewall. The appliance will listen for SSH connections on the specified port and will allow connections from the specified addresses.

Syntax Description
port number Ethernet port on the appliance through which a remote SSH can be established.
serverip ipaddress Host IP address from which SSH connections to the appliance will be allowed.

ping

Sends ICMP ECHO_REQUEST packets to IPv4 network hosts and listens for the corresponding ECHO_REPLY.

Syntax Description
ipaddress IP Address to be pinged.
string Domain to be pinged.
count number Send a specific number of packets. Ping will stop after the count number is reached.
interface interfaceid Set the interface on Sophos Firewall to send packets from.
quiet Display a summary only at start and end of the ping sequence.
size number Specifies the length, in bytes of the data field in the echo request messages sent. The default is 32. The maximum size is 65,527.
sourceip ipaddress Specifies the source IP address packets will be sent from.
timeout number Stop sending packets and exit from ping after specified time is reached.

ping6

Send ICMPv6 ECHO_REQUEST packets to IPv6 network hosts and listens for the corresponding ECHO_REPLY.

Syntax Description
ipaddress6 IPv6 address to be pinged.
count number Send a specific number of packets. Ping will stop after count number is reached.
interfaceinterfaceid Set the interface on Sophos Firewall to send packets from.
quiet Display a summary only at start and end of the ping sequence.
size number Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

tcpdump

Specifies the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

Syntax Description
text Packet filter expression. Based on the specified filter, packets are dumped. If no expression is given, all packets are dumped otherwise only packets for which the expression is true are dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or number) proceeded by one or more qualifiers. Refer to the below example table on writing filtering expressions.
count number Exit tcpdump after receiving specified number of packets.
filedump Tcpdump output can be generated based on criteria required. The output file can be found under /tmp.
hex Print each packet (minus its link level header) in hexadecimal notation.
interface interfaceid Specifies the interface to listen on.
llh View packet contents with ethernet or other layer 2 header information.
no_time Do not print a timestamp for each dump line.
quite Print less protocol information so that output lines are shorter.
verbose Verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

Below you will find some examples of how to use the tcpdump command to view different information.

Note

Expressions can be combined using logical operators AND, OR and NOT. Make sure when using different combinations to encapsulate the full query within single quotes.

How to view traffic of tcpdump command Example
Specific host tcpdump 'host <ipaddress>' tcpdump 'host 10.10.10.1'
Specific network tcpdump 'net <network address>' tcpdump 'net 10.10.10.0'
Specific source network tcpdump 'src net <network address>' tcpdump 'src net 10.10.10.0'
Specific destination network tcpdump 'dst net <network address>' tcpdump 'dst net 10.10.10.0'
Specific port tcpdump 'port <portnumber>' tcpdump 'port 21'
Specific source port tcpdump 'src port <port number\>' tcpdump 'src port 21'
Specific destination port tcpdump 'dst port <port number>' tcpdump 'dst port 21'
Specific host and specific port tcpdump 'host <ipaddress> and port <port number>' tcpdump 'host 10.10.10.1 and port 21'
Specific host and all ports except SSH tcpdump 'host <ipaddress> and port not <port number>' tcpdump 'host 10.10.10.1 and port not 22'
Specific protocol tcpdump 'proto <protocol name>'

tcpdump 'proto ICMP'

tcpdump 'proto UDP'

Specific interface tcpdump interface <interface id> tcpdump interface port2
Specific port on a specific interface tcpdump interface <interface id> 'port <port number>' tcpdump interface port2 'port 21'

telnet

Use telnet to connect to another remote computer. Can be used to check if a system is accepting connections on a specific port. Telnet data is sent in clear text so for admin tasks it is advised to use SSH when possible.

Syntax Description
ipaddress port number FQDN, alias or IP address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

telnet6

Use telnet6 to connect via telnet to an IPv6 addressed system

Syntax Description
ipv6address port number FQDN, alias or IPv6 address of a remote host followed by the port number to connect to. If no port information is specified then the default telnet port (23) is used.

traceroute

Traceroute traces the path packets take from an IPv4 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.

Syntax Description
<ipaddress> Specifies the destination IP address to trace the route to.
<string> Specifies the domain to trace the route to.
first-ttl Sets the initial time to live used in the first outgoing packet.
icmp Use ICMP ECHO instead of UDP datagrams.
max-ttl Specifies the maximum time to live of packets.
no-frag Sets the don't fragment bit in the sent packets.
probes Probes are sent at each ttl. Default value is 3.
source Sets the specified IP address as the source address of sent packets.
timeout Sets the timeout in seconds for a response to a probe. Default is 5.
tos For IPv4, set the Type of Service (TOS) and Precedence value. Useful values are 16 (low delay) and 8 (high throughput).

traceroute6

Traceroute6 traces the path packets take from an IPv6 network to the destination system. It uses the IP protocol's time to live (TTL) field and tries to get an ICMP TIME_EXCEEDED response from each gateway along the path to the destination.

Syntax Description
<ipv6address> Specifies the destination IPv6 address to trace the route to.
<string> Specifies the domain to trace the route to.
first-ttl Sets the initial time to live used in the first outgoing packet.
icmp Use ICMP ECHO instead of UDP datagrams.
max-ttl Specifies the maximum time to live of packets.
no-frag Sets the don't fragment bit in the sent packets.
probes Probes are sent at each ttl. Default value is 3.
source Sets the specified IP address as the source address of sent packets.
timeout Sets the timeout in seconds for a response to a probe. Default is 5.
tos Sets the type of service. For IPv6, this is referred to as the Traffic Control value.

show

Enter the following command: show <setting>

Example: show advanced-firewall

You can see the settings for the following configurations:

Syntax Description
advanced-firewall Displays the currently configured advanced firewall parameters. For a full explanation of parameters please refer to set
arp-flux Shows if arp-flux is currently turned on or off.

country-host

ip2country ipaddress

list

Use the ip2address > ipaddress option to find the country that hosts a specific IP address. Use the list parameter to list the stored IP addresses and the country that hosts them.
fqdn-host

Displays the configured parameters for:

  • cache-ttl- idle-timeout
  • learn-subdomains- IP eviction
http_proxy

Displays the configured parameters for the HTTP proxy.

Defaults:

  • HTTP add_via_header: on
  • HTTP block_proxy_loop: off
  • HTTP captive_portal_x_frame_options: on
  • HTTP core_dump: off
  • HTTP disable_tls_url_categories: off
  • HTTP relay_invalid_http_traffic: off
  • HTTP captive_portal_tlsv1_0: off
  • HTTP captive_portal_tlsv1_1: on
  • HTTP proxy_tlsv1_0: off
  • HTTP proxy_tlsv1_1: on
  • HTTP tlsciphers_server: HIGH:!RC4:!MD5:!aNULL
  • HTTP client_timeout: 60
  • HTTP connect_timeout: 60
  • HTTP response_timeout: 60
  • HTTP tunnel_timeout: 300
interface-speedinterfaceid Shows the current network speed over the specified interface.
interfaces Shows details of interfaces on the appliance including logical interfaces.
ips-settings Displays the currently configured IPS settings and running instances.

ip-signature

alert

disable

drop

Lists the IPS signatures, by numeric ID, currently configured.

Alert will show signatures configured to alert when triggered.

Disable will show the signatures currently disabled.

Drop will show the signatures currently configured to drop traffic when triggered.

ips_conf Shows the current IPS configuration.
lag-interfaceinterfaceid Shows details of the specified LAG interface.
lanbypass Shows the current lanbypass configuration. In this mode, one or two pairs of interfaces are bridged, allowing uninterrupted traffic flow without scanning when there's a power failure or hardware malfunction.
license_status Shows if the license is active or not and if it's synchronized.
logs {log file} [lines] {number} Shows the file's latest logs based on the specified number of lines.
macaddrinterfaceid Displays the MAC address of the specified interface.
mtu-mssinterfaceid Shows the current configured MTU of the specified interface, default MTU 1500 MSS 1460.

nat-policy

application-server

failover

mail-notification

Shows the nat policy settings, enabled or disabled, for the protected application servers.
network Shows various configured network parameters according to the filters used.
on-box-reports Shows whether on-box reports are turned on or turned off.
report-disk-usage watermark

Shows the percentage threshold for warning of space usage in the report partition.

Default: 70

routing policy-based-ipsec-vpn system-generate-traffic

Shows if policy-based IPsec VPN routes for system-generated traffic are turned on or off.

Default: On

static-route Displays all current IPv4 static routes.
static-route6 Displays all current IPv6 static routes.
support_access Shows if support access is turned on or off. If it's turned on, it shows the access ID and the access duration.
vpn ipsec-performance Shows the ipsec-performance settings, such as ipsec_max_workqueue_items and use-resolved-ip-address.

More resources