Professional Documents
Culture Documents
Troubleshooting Sophos
Firewall
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW1515: Getting Started with Troubleshooting Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
troubleshooting process and the ✓ Navigating and Managing the Sophos Firewall using
troubleshooting tools that are the WebAdmin
provided for Sophos Firewall. ✓ How hosts and services, and profiles are used as
the building blocks for configuration of rules and
policies
DURATION
11 minutes
In this chapter you will learn the troubleshooting process and the troubleshooting tools that are
provided for Sophos Firewall.
1 2 3
Define
Confirm the steps required to reproduce the error or
Define the issue symptom
In the first phase of troubleshooting – define the issue – you identify the specific symptoms of the
problem and any error messages involved.
You should also confirm the steps required to reproduce the error or symptom you are
troubleshooting.
Once you have defined the issue based on the symptoms or error messages, and confirmed the
steps to replicate it, in the root cause analysis phase you will try to find additional information that
will identify what is causing the issue.
Start by searching the Sophos Knowledgebase and Community for the symptoms or error
identified. If this issue has been seen before, the cause and solution may already be documented,
and this will provide the quickest way to resolve it.
Check the configuration of the affected function, and the log files, to gather additional information.
You may find something in the configuration that can be changed to resolve the issue, or
information in the logs that clearly indicates why the issue is occurring.
You can use troubleshooting tools to further investigate the issue as required. Throughout this
course we will introduce various tools available for investigating issues.
If you are unable to identify the root cause of an issue and resolve it, we recommend that you
contact Sophos Support with a detailed description of the issue, including replication steps and any
errors along with the root cause analysis steps you have taken.
3
Complete the steps to resolve the issue
Once you have determined the probable root cause, you will then perform verification testing. To
do this, you will complete the resolution steps and then follow the steps to reproduce the issue to
confirm it is now resolved.
WebAdmin
SSH
Console or
WebAdmin
or
The WebAdmin is the primary method of interacting with the Sophos Firewall, and this is no
different when troubleshooting. The WebAdmin can provide access to the logs and tools necessary
to troubleshoot most issues. However, there may be some occasions when you need to use the
Console or Advanced Shell.
The Console and Advanced Shell are accessed through the Sophos Firewall command line interface
(CLI). This can be accessed using SSH (secure shell), but can also be accessed through the
WebAdmin, or by physically connecting a monitor and keyboard to the Sophos Firewall.
The Console is used for running Sophos Firewall specific commands, and the Advanced Shell
provides access to the underlying operating system and so should be used with caution.
WebAdmin CLI
Configure the connection options by navigating to SYSTEM > Administration > Device access. Here
you can enable WebAdmin (HTTPS) and CLI (SSH) access per zone.
Alternatively, you can create a local ACL service exception rule to allow access from a specific host
or network. This is recommended when enabling access for devices in the WAN zone.
The local ACL service exception rules override the behaviour of the local service ACL table. So for
our example here, it means that the exception rule can allow traffic without it being selected in the
local service ACL table.
/log/sshd.log
Jul 08 08:38:44 Accepted publickey for admin
from 172.16.16.250 port 50609 ssh2: RSA
SHA256:gyFz2fffRfOaVgX9z8i5FYVaS82ycv5UKHhOkjND
JFo
SSH access to the CLI can also be secured using public key authentication. To configure this, you
simply need to enable it and add the public keys for the authorized key pairs.
The private key can then be used to authenticate as the built-in admin user. The thumbprint of the
key used to authenticate is logged in /log/sshd.log for auditing purposes.
[Additional Information]
• Supported algorithms: RSA, DSA, ECDSA
• Support key lengths: 2014, 2048, 4096
Tips
Once you are logged into the CLI you will see a menu of options.
To access the advanced shell, select option 5 and then option 3. Access to the Advanced Shell is
restricted to licensed commercial versions of the product.
Up to 5
Add up to 5 external syslog servers
Sophos Firewall provides access to real-time logs in the WebAdmin, so you can easily monitor the
impact of changes and troubleshoot issues. Log data can also be reported to external syslog
servers, and there is granular control over which events are logged.
Available on the top right of every page, the Log viewer link opens a new window with the live log
view for Sophos Firewall.
In the default column view the log viewer will display a single log, and you can use the drop-down
menu to select which log is displayed.
You can customize which columns are displayed, selecting up to 20, with time, log component and
action being mandatory.
You can apply structured filters to the logs and perform free text searches. In both cases the
matching terms will be highlighted.
At any time, you can choose to export the data to a CSV file.
By hovering your mouse over the log entry, you can also see more detailed information.
By clicking on data in the logs, context sensitive actions will be displayed. You will always have the
option to filter using the data, either as a structured filter, or free text search. In many cases, you
will also be able to edit rules and policies or create new configuration.
The example here, includes the option to create an objectionable custom URL category including
this data, because it was allowed. If it had been blocked, the option would have been to create an
acceptable custom URL category.
You can switch to the detailed unified log view using the buttons at the top. This view has the same
searching and filtering options as the standard view but can aggregate the logs from multiple
modules.
By default, when you switch to this view, all the logs will be shown. You can use the drop-down
menu to select which modules you want to view the logs for.
When you click the links for firewall rules and policies, the parent WebAdmin window will
automatically navigate to that location, making it quicker and easier to review the relevant
configuration for a log entry.
The packet capture display filter is automatically populated with information from the log entry,
such as the Source IP address. Other display filter settings can be configured as required.
Show additional
properties
The packet capture listing shows the connection details, and details of the packets processed by
each module, such as firewall and IPS. Show additional properties can be used to add information
and change the order of the columns.
Detailed information for the selected packet can be viewed at the bottom of the page. This
includes header details and entities, including firewall rules and policies.
Show additional
properties
Packet Capture can also be accessed from the Diagnostics menu, with the same options available.
Those highlighted here can be used to:
• Turn capture on and off.
• Refresh and clear the details of the captured packets.
As well as the display filter there are also filter settings for capturing the packets. These allow you
to configure:
[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Diagnostics/PacketCapture/DiagnosticsPacketCaptureFi
lterConfigure/index.html
Returning to log files, most of the time you will access log files from the WebAdmin using the Log
Viewer.
You may also want to access the raw log data, this can be done using the Advanced Shell.
There are a few useful commands for reading and searching logs.
• tail can be used to monitor a log file as all new entries are written to the screen.
• less can be used to read and search up and down through a log file.
• grep can be used to search a log file and just display the matching lines.
[Additional Information]
Command: tail
Usage: tail -f /log/filename.log
Result: Displays last few lines of the logs then writes new entries to the screen.
Command: less
Usage: less /log/filename.log
Result: Opens log file and can be browsed and searched up and down. Use arrow keys and page
up/down to navigate. Press q to quit. To search type /keyword [Enter]. You can then use n
and p to go to the next and previous found match.
Command: grep
Usage: grep keyword /log/filename.log
The list of subsystems and the issues they related to can be found in the notes
Debug logging can be enabled based on the subsystems of the Sophos Firewall using the
commands shown here.
[Additional Information]
The table shows the subsystems that you can enable debug logging for, and for which types of
issue they are relevant.
Action, can be
Name of the debug, status,
Display response
service to control restart, reload, stop
or start
You can also enable and disable debug logging per service using the command shown in the notes.
[Additional Information]
Device access must be configured to the WebAdmin, Console and Advanced Shell to
allow troubleshooting
Log Viewer and raw log data is available to assist with root cause analysis
Packet capture helps to troubleshoot instances where firewall rules fail by showing
details of the packets
Here are the three main things you learned in this chapter.
Device access must be configured to the WebAdmin, Console and Advanced Shell to allow
troubleshooting.
Log Viewer and raw log data is available to assist with root cause analysis.
Packet capture helps to troubleshoot instances where firewall rules fail, by showing details of the
packets.