Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-set-advanced-firewall

advanced-firewall

The advanced-firewall command lets you configure various firewall-related parameters and settings, such as the traffic to inspect, protocol timeout values, and traffic fragmentation.

Command

set advanced-firewall

show advanced-firewall

Syntax

set advanced-firewall
bypass-stateful-firewall-config [add|del] [dest_host|dest_network] {<IP address>|<network IP address>|<netmask>} [source_host|source_network] {<IP address>|<network IP address>|<netmask>}
restrict-admin-console-wan-access [enable|disable]
icmp-error-message [allow|deny]
strict-icmp-tracking [on|off]
tcp-selective-acknowledgement [on|off]
tcp-window-scaling [on|off]
fragmented-traffic [allow|deny]
ipv6-unknown-extension-header [allow|deny]
strict-policy [on|off]
tcp-est-idle-timeout <2700-432000>
tcp-seq-checking [on|off]
udp-timeout <30-3600>
udp-timeout-stream <30-3600>
ftpbounce-prevention [control|data]
midstream-connection-pickup [on|off]
sys-traffic-nat [add|delete] [destination] {<destination IP address>} [interface] {<interface>} [netmask] {<netmask>} [snatip] {<snat IP address>}
tcp-frto [on|off]
tcp-timestamp [on|off]
route-cache [on|off]
ipv6-ready-logo-compliance [on|off]

Options

bypass-stateful-firewall-config [add|del] [dest_host|dest_network] {<IP address>|<network IP address>| <netmask>} [source_host|source_network] {<IP address>|<network IP address>|<netmask>}

Bypass traffic that encounters issues when passing through the firewall, typically due to its specific characteristics or protocols. You can bypass individual hosts or entire networks.

There's no limit to the number of hosts or networks you can bypass from the firewall.

Example

To bypass outbound traffic, you must configure rules to bypass both inbound and outbound traffic. This ensures the entire connection bypasses firewall inspection.

set advanced-firewall bypass-stateful-firewall-config add dest_host 192.0.2.2

set advanced-firewall bypass-stateful-firewall-config add source_host 198.51.100.2

restrict-admin-console-wan-access [enable|disable]

Allow or deny access to the web admin console from all WAN sources.

If you enter enable, you turn off access from all WAN sources. This ensures higher security levels. See Best practices.

Default: enable

icmp-error-message [allow|deny]

Allow or deny ICMP error packets describing problems such as a network, host, or unreachable port and an unknown destination network or host.

Default: allow

strict-icmp-tracking [on|off]

Allow or drop ICMP reply packets. When you turn it on, the firewall drops all ICMP reply packets.

Default: off

tcp-selective-acknowledgement [on|off]

Turn TCP selective acknowledgment (SACK) on or off. With SACK, the firewall allows the receiver to inform the sender about the specific segments it receives. The sender can then retransmit only the lost and out-of-order segments rather than the entire TCP window, ensuring efficient retransmission.

It minimizes unnecessary retransmissions, reduces latency, and enhances the throughput, ensuring more reliable data transmission.

Default: on

tcp-window-scaling [on|off]

Turn TCP window scaling on or off. When you turn it on, the firewall extends the TCP window size beyond the traditional 16-bit limit (64 KB) to support high-bandwidth networks. Increasing the window size ensures larger data transfers in a single TCP connection, enhancing the throughput and reducing latency.

It optimizes flow control by dynamically adjusting the window size based on network capacity, avoiding congestion, and optimizing data transmission. See RFC1232.

Default: on

fragmented-traffic [allow|deny]

Allow or deny fragmented traffic. IP Fragmentation is the process of breaking down an IP datagram into smaller packets before transmitting and reassembling them at the receiving end. See RFC4459 section 3.1.

Default: allow

ipv6-unknown-extension-header [allow|deny]

Allow or drop IPv6 packets with unknown extension headers.

Default: deny

strict-policy [on|off]

Turn strict policy on or off. When it is turned on, the device drops specific traffic and IP-based attacks against the firewall.

Default: on

tcp-est-idle-timeout <2700-432000>

Set the idle timeout value in seconds for established TCP connections.

Range: 2700 to 432000

tcp-seq-checking [on|off]

Turn this setting on or off. Every TCP packet contains a Sequence Number (SYN) and an Acknowledgment Number (ACK). Sophos Firewall monitors SYN and ACK numbers within a certain window to make sure the packet is part of the session. However, certain applications and third-party vendors use non-RFC methods to verify a packet's validity or for some other reason, so a server may send packets with invalid sequence numbers and expect an acknowledgment. For this reason, you may want to turn tcp-seq-checking off.

Default: on

udp-timeout <30-3600>

Set the timeout value in seconds for UDP connections that haven't yet been established.

Range: 30 to 3600

udp-timeout-stream <30-3600>

Set the timeout value in seconds for UDP stream connections. A UDP stream is established when two clients send UDP traffic to each other on a specific port and between network segments. For example, LAN to WAN.

Range: 30 to 3600

ftpbounce-prevention [control|data]

Prevent FTP bounce attacks on FTP control and data connections. Traffic is considered an FTP bounce attack when an attacker sends a PORT command with a third-party IP address to an FTP server instead of its IP address.

Default: control

midstream-connection-pickup [on|off]

Turn midstream pickup of TCP connections on or off. Turning it on is useful when deploying Sophos Firewall as a bridge in a live network without any loss of service. You can also use it for handling network behavior due to peculiar network design and configuration. For example, atypical routing configurations leading to ICMP redirect messages. By default, the firewall drops all untracked (mid-stream session) TCP connections in both deployment modes.

Default: off

sys-traffic-nat [add|delete] [destination] {<destination IP address>} [interface] {<interface>} [netmask] {<netmask>} [snatip] {<snat IP address>}

Use NAT to hide the IP addresses of the firewall's interfaces for traffic generated by the firewall or change the translated IP address for traffic going to a set destination.

Note

The [destination] {<destination IP address>} and [snatip] {<snat IP address>} parameters are mandatory for this command.

Example

set advanced-firewall sys-traffic-nat add destination 172.16.16.5 snatip 192.168.2.1

tcp-frto [on|off]

Turn forward RTO-Recovery (F-RTO) on or off. F-RTO is an enhanced recovery algorithm for TCP retransmission time-outs. It's particularly beneficial in wireless environments where packet loss is typically due to random radio interference rather than intermediate router congestion. F-RTO is only a sender-side modification. So, it doesn't require any support from the peer.

Default: off

tcp-timestamp [on|off]

Turn TCP timestamps on or off. Timestamp is a TCP option used to calculate the round-trip measurement more accurately than the forward RTO-recovery method.

Default: off

route-cache [on|off]

Turn route caching on or off. Route caching lets you load-balance outgoing traffic by destination.

Default: on

ipv6-ready-logo-compliance [on|off]

Turn IPv6 ready logo compliance on or off. IPv6 ready logo is a testing program that shows IPv6 is working and ready to use. When you turn it on, the firewall passes the IPv6 logo tests.

Default: off

show advanced-firewall

Shows the currently configured advanced firewall parameters.