Getting Started with

Troubleshooting Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1515: Getting Started with Troubleshooting Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 1

 Getting Started with Troubleshooting Sophos Firewall

In this chapter you will learn the
troubleshooting process and the
troubleshooting tools that are
provided for Sophos Firewall.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ Navigating and Managing the Sophos Firewall using
the WebAdmin
✓ How hosts and services, and profiles are used as
the building blocks for configuration of rules and
policies

DURATION

11 minutes

In this chapter you will learn the troubleshooting process and the troubleshooting tools that are
provided for Sophos Firewall.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 2

 Overview of the Troubleshooting Process

1 2 3

Define Analyze Verify

Define the issue Root cause analysis Verification testing

Effective troubleshooting is an important part of firewall management.

The troubleshooting process has three phases:

• Define the issue.
• Root cause analysis.
• Verification testing.

Let’s look at the three phases in a little more detail.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 3

 Define the Issue 1

Identify the specific symptoms of the problem

1
Identify any error messages related to the problem

Define
Confirm the steps required to reproduce the error or
Define the issue symptom

In the first phase of troubleshooting – define the issue – you identify the specific symptoms of the
problem and any error messages involved.

You should also confirm the steps required to reproduce the error or symptom you are
troubleshooting.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 4

 Root Cause Analysis 2

Search the Sophos Knowledgebase and Community

2 for the symptoms or error identified

Check the configuration of the affected function and

the log files for additional information
Analyze
Use troubleshooting tools for further investigation as
Root cause analysis required

Once you have defined the issue based on the symptoms or error messages, and confirmed the
steps to replicate it, in the root cause analysis phase you will try to find additional information that
will identify what is causing the issue.

Start by searching the Sophos Knowledgebase and Community for the symptoms or error
identified. If this issue has been seen before, the cause and solution may already be documented,
and this will provide the quickest way to resolve it.

Check the configuration of the affected function, and the log files, to gather additional information.
You may find something in the configuration that can be changed to resolve the issue, or
information in the logs that clearly indicates why the issue is occurring.

You can use troubleshooting tools to further investigate the issue as required. Throughout this
course we will introduce various tools available for investigating issues.

If you are unable to identify the root cause of an issue and resolve it, we recommend that you
contact Sophos Support with a detailed description of the issue, including replication steps and any
errors along with the root cause analysis steps you have taken.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 5

 Verification Testing 3

3
Complete the steps to resolve the issue

Follow the steps to reproduce the issue to confirm it is

Verify now resolved
Verification testing

Once you have determined the probable root cause, you will then perform verification testing. To
do this, you will complete the resolution steps and then follow the steps to reproduce the issue to
confirm it is now resolved.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 6

 Device Access for Troubleshooting

WebAdmin

SSH
Console or

WebAdmin
or

Advanced Shell Physical

Connection

The WebAdmin is the primary method of interacting with the Sophos Firewall, and this is no
different when troubleshooting. The WebAdmin can provide access to the logs and tools necessary
to troubleshoot most issues. However, there may be some occasions when you need to use the
Console or Advanced Shell.

The Console and Advanced Shell are accessed through the Sophos Firewall command line interface
(CLI). This can be accessed using SSH (secure shell), but can also be accessed through the
WebAdmin, or by physically connecting a monitor and keyboard to the Sophos Firewall.

The Console is used for running Sophos Firewall specific commands, and the Advanced Shell
provides access to the underlying operating system and so should be used with caution.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 7

 SYSTEM > Administration > Device access
Device Access
Local ACL Service Exception Rule

WebAdmin CLI

Configure the connection options by navigating to SYSTEM > Administration > Device access. Here
you can enable WebAdmin (HTTPS) and CLI (SSH) access per zone.

Alternatively, you can create a local ACL service exception rule to allow access from a specific host
or network. This is recommended when enabling access for devices in the WAN zone.

The local ACL service exception rules override the behaviour of the local service ACL table. So for
our example here, it means that the exception rule can allow traffic without it being selected in the
local service ACL table.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 8

 Additional information in
Public Key Authentication for SSH the notes

/log/sshd.log
Jul 08 08:38:44 Accepted publickey for admin
from 172.16.16.250 port 50609 ssh2: RSA
SHA256:gyFz2fffRfOaVgX9z8i5FYVaS82ycv5UKHhOkjND
JFo

SSH access to the CLI can also be secured using public key authentication. To configure this, you
simply need to enable it and add the public keys for the authorized key pairs.

The private key can then be used to authenticate as the built-in admin user. The thumbprint of the
key used to authenticate is logged in /log/sshd.log for auditing purposes.

[Additional Information]
• Supported algorithms: RSA, DSA, ECDSA
• Support key lengths: 2014, 2048, 4096

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 9

 Accessing the Console and Advanced Shell

Tips

When you are in the Advanced Shell

you can run the command cish to
start a Console session.

You can end your Console or Advanced

Shell session and return to the menu
by running exit or pressing Ctrl +
D

Once you are logged into the CLI you will see a menu of options.

Option 4 can be used to access the device console.

To access the advanced shell, select option 5 and then option 3. Access to the Advanced Shell is
restricted to licensed commercial versions of the product.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 10

 Logging

Access to real-time logs using the log viewer

Up to 5
Add up to 5 external syslog servers

Manage which events are logged

Sophos Firewall provides access to real-time logs in the WebAdmin, so you can easily monitor the
impact of changes and troubleshoot issues. Log data can also be reported to external syslog
servers, and there is granular control over which events are logged.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 11

 Log Viewer
Select log
Customize columns

Available on the top right of every page, the Log viewer link opens a new window with the live log
view for Sophos Firewall.

In the default column view the log viewer will display a single log, and you can use the drop-down
menu to select which log is displayed.

You can customize which columns are displayed, selecting up to 20, with time, log component and
action being mandatory.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 12

 Log Viewer
Export data to a CSV file Free text search

Apply structured filters

You can apply structured filters to the logs and perform free text searches. In both cases the
matching terms will be highlighted.

At any time, you can choose to export the data to a CSV file.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 13

 Log Viewer

Hover to see more

detailed information

By hovering your mouse over the log entry, you can also see more detailed information.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 14

 Log Viewer

By clicking on data in the logs, context sensitive actions will be displayed. You will always have the
option to filter using the data, either as a structured filter, or free text search. In many cases, you
will also be able to edit rules and policies or create new configuration.

The example here, includes the option to create an objectionable custom URL category including
this data, because it was allowed. If it had been blocked, the option would have been to create an
acceptable custom URL category.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 15

 Log Viewer Switch between column
and unified log view
Select multiple logs

You can switch to the detailed unified log view using the buttons at the top. This view has the same
searching and filtering options as the standard view but can aggregate the logs from multiple
modules.

By default, when you switch to this view, all the logs will be shown. You can use the drop-down
menu to select which modules you want to view the logs for.

When you click the links for firewall rules and policies, the parent WebAdmin window will
automatically navigate to that location, making it quicker and easier to review the relevant
configuration for a log entry.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 16

 Live PCAP

Open Live Packet

Capture

Each log entry has a link to open live Packet Capture.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 17

 Packet Capture Display Filter

The packet capture display filter is automatically populated with information from the log entry,
such as the Source IP address. Other display filter settings can be configured as required.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 18

 Packet Capture Listing

Show additional
properties

The packet capture listing shows the connection details, and details of the packets processed by
each module, such as firewall and IPS. Show additional properties can be used to add information
and change the order of the columns.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 19

 Detailed Packet Information

Detailed information for the selected packet can be viewed at the bottom of the page. This
includes header details and entities, including firewall rules and policies.

Packet information is also available in Hex & ASCII values.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 20

 Diagnostics: Packet Capture

Show additional
properties

Refresh / Clear details

of captured packets

Packet Capture can also be accessed from the Diagnostics menu, with the same options available.
Those highlighted here can be used to:
• Turn capture on and off.
• Refresh and clear the details of the captured packets.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 21

 Additional information in
Capture Filter the notes

host 192.168.1.2 and port 137

As well as the display filter there are also filter settings for capturing the packets. These allow you
to configure:

• The number of bytes to capture (per packet).

• Wrap capture buffer once full, which allows you to continue capturing packets even after the
buffer is full.
• A Berkeley Packet Filter (BPF) string, which is protocol-independent, and uses a filter-before-
buffering approach, for example, host 192.168.1.2 and port 137.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Diagnostics/PacketCapture/DiagnosticsPacketCaptureFi
lterConfigure/index.html

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 22

 Additional information in
Log Files the notes

Returning to log files, most of the time you will access log files from the WebAdmin using the Log
Viewer.

You may also want to access the raw log data, this can be done using the Advanced Shell.

The logs are located in /log.

There are a few useful commands for reading and searching logs.
• tail can be used to monitor a log file as all new entries are written to the screen.
• less can be used to read and search up and down through a log file.
• grep can be used to search a log file and just display the matching lines.

[Additional Information]

Command: tail
Usage: tail -f /log/filename.log
Result: Displays last few lines of the logs then writes new entries to the screen.

Command: less
Usage: less /log/filename.log
Result: Opens log file and can be browsed and searched up and down. Use arrow keys and page
up/down to navigate. Press q to quit. To search type /keyword [Enter]. You can then use n
and p to go to the next and previous found match.

Command: grep
Usage: grep keyword /log/filename.log

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 23

Result: Displays lines in the log file that contain the keyword. You can also use -i to
make the search case insensitive. Use -R and pass a folder to search all files in the
folder and subfolder. Can be combined with tail to filter output of a log file, for
example: tail –f /log/filename.log | grep -i keyword

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 23

 Additional information in
Debug Logging the notes

• Enable debug logging based on subsystem

• Console commands:
console> system diagnostics subsystems <subsystem> debug on
console> system diagnostics subsystems <subsystem> debug off

The list of subsystems and the issues they related to can be found in the notes

Debug logging can be enabled based on the subsystems of the Sophos Firewall using the
commands shown here.

[Additional Information]

• console> system diagnostics subsystems <subsystem> debug on

• console> system diagnostics subsystems <subsystem> debug off

The table shows the subsystems that you can enable debug logging for, and for which types of
issue they are relevant.

Subsystem For issues related to…

Access-Server Authentication
Bwm Bandwidth management
CSC System configuration
IPSEngine Intrusion prevention
LoggingDaemon Logging
MTA SMTP scanning (MTA mode)
Msyncd High availability
POPIMAPDaemon POP & IMAP
Pktcapd Packet Capture in WebAdmin
SMTPD SMTP scanning (Legacy mode)
SSLVPN / SSLVPN-RPD SSL VPN related issues
WebProxy Content filtering

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 24

 Controlling Services from the Advanced Shell

service -S List services and their current state

service awarrenhttp:debug –d –s nosync Sync command to other HA device.

Can be sync or nosync
(COMPULSORY)

Action, can be
Name of the debug, status,
Display response
service to control restart, reload, stop
or start

Services can be individually controlled using the Advanced Shell.

service -S is used to list all services and their current state.

You can also enable and disable debug logging per service using the command shown in the notes.

The -d (display) and -s (sync) switches are usually combined: service

awarrenthttp:debug -ds nosync

[Additional Information]

service <name of service>:debug -d -s nosync

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 25

 Chapter Review

Device access must be configured to the WebAdmin, Console and Advanced Shell to
allow troubleshooting

Log Viewer and raw log data is available to assist with root cause analysis

Packet capture helps to troubleshoot instances where firewall rules fail by showing
details of the packets

Here are the three main things you learned in this chapter.

Device access must be configured to the WebAdmin, Console and Advanced Shell to allow
troubleshooting.

Log Viewer and raw log data is available to assist with root cause analysis.

Packet capture helps to troubleshoot instances where firewall rules fail, by showing details of the
packets.

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 32

Getting Started with Troubleshooting Sophos Firewall 19.0v1.0 - 33