Sophos Firewall CLI commands (part 1)

English translations

This post was translated with the help of a translation tool. Therefore, occasional errors are possible. An error-free version is available in German

This page is also available in: Deutsch (German)

In this article we present some Sophos Firewall CLI commands – for the console and the advanced shell. Feel free to browse through. Maybe you’ll find something new! 😊


The following Sophos Firewall CLI commands for the Advanced Shell and Console are all tested with versions 19.x.x. However, they should work in the same way in version 20+. I will gradually expand the overview.


We accept no liability for problems or damage that may arise from the use of the commands listed here!
In general, the shell and console should only be used by experienced persons. If in doubt, please contact your Sophos partner.

Firewall Console

Check hotfix status

The hotfix status cannot be checked in the WebUI. If you want to check your current hotfix status on the console, enter the following here:

Console – Check hotfix status
system diagnostic show version-info

IP countries review

You want to have the country associated with a certain IP address in order to optimize the rules accordingly? The Console offers an option for this:

Console – IP Country Lookup
show country-host ip2country ipaddress

Advanced Shell


We have written a separate article for tcpdump. Have a look here: Sophos Firewall Cookbook: tcpdump

conntrack with readable time stamp

Unfortunately, conntrack does not offer the possibility to display the timestamps in a readable format. However, this can still be solved with a pipe command.


  • from “-o …” is required for the readable timestamp
  • You can continue to set the parameters in front of it (here -E) according to your requirements
Advanced Shell – readable time stamps in conntrack
conntrack -E -o timestamp | awk -F "[\t]" '{ gsub(/(\[)/,"",$1) ;gsub(/(\])/,"",$1); print strftime("%c",$1) " " $2 }'

conntrack – Parameters and fields

The conntrack tool is very useful for checking open or new connections of the Sophos Firewall. A small documentation on conntrack can be found in an article from Sophos: Sophos Firewall: CLI Troubleshooting Tools

Test SSL connection

You want to test whether the Sophos Firewall itself can establish an SSL connection, or whether the certificate is correct for the connection? The solution is openssl.

Advanced Console – Test SSL connection
openssl s_client -connect

Show detected SFP transceivers

You wanted to know if and which transceiver the Sophos Firewall has recognized in an SFP/SFP+ port. It works with “ethtool”.

Advance Shell – Read detected SFP transceiver
ethtool -m PortF1

Quick change to the console

Everyone will be familiar with this. If you have to jump back and forth between the Advanced Console and the Console frequently, it often becomes annoying. I therefore always recommend going directly to the Advanced Shell. There are two commands here with which you can quickly switch to the console! Exit then takes you back to the Advanced Shell. Super practical! 😊

Advanced Shell – Change to Console
Advanced Shell – Switch to Console menu

CSC Service Debug

The CSC service cannot be set to debug with the familiar “service” command. There is a separate command here. To deactivate, simply enter the command again

Advanced Shell – Activate CSC Debug
csc custom debug

Check whether debug has been set or deactivated:

Advanced Shell – CSC Debug Status Check
cat /log/csc.log | grep Toggling | tail -n 10
MESSAGE Oct 31 10:00:26Z [worker:11599]: Toggling log level to: MAX

MESSAGE   Oct 31 10:04:20Z  [worker:23646]: Toggling log level to: WARNING

bwmon – Interface Bandwidth Monitor

With “bwmon”, the current load per interface can be displayed in the shell.

Advanced Shell – Interface Bandwidth Monitor

Once started, the current load is displayed at 0.5 second intervals. If you press “h” you will get a little help. This explains how to adjust the sampling intervals or the display of the throughput.

showfw – Show versions in firmware slots

showfw displays the firmware versions in the two firmware slots.

Show webadmin port

You have shell access, but don’t know which port the web interface is running on? The configured ports can be found out with a database query.

Advanced Shell – Check Webadmin Port
psql -U nobody -d corporate -c "select destinationport from tbllocalservicedetails WHERE localserviceid =2"

More contributions from us


Leave a Reply

Your email address will not be published. Required fields are marked *

    • Hallo Manfred,

      Freut mich. Ja, der zweite ist in Arbeit. Das wird aber noch ein paar Wochen dauern. Schau einfach regelmäßig vorbei. 😊

WordPress Cookie Plugin by Real Cookie Banner