If you manage a Sophos Firewall in a production environment, the graphical interface is only part of the administration toolkit. While the web console simplifies day-to-day configuration, experienced firewall administrators know that the command-line interface (CLI) remains indispensable for troubleshooting, diagnostics, maintenance, and advanced system operations.
Whether you’re investigating a VPN outage, validating routing behavior, collecting packet captures, monitoring system resources, or performing advanced diagnostics, the Sophos Firewall CLI provides direct access to information that is often unavailable—or less efficient to obtain—from the graphical interface.
This comprehensive guide covers 75 essential Sophos CLI commands organized by real-world administrative tasks. Rather than presenting a simple command list, each command includes its purpose, syntax, practical example, recommended use cases, and operational considerations. Throughout the guide, you’ll also learn troubleshooting methodologies, security best practices, and operational workflows used by enterprise network engineers, managed service providers (MSPs), and security operations teams.
The examples are applicable to modern Sophos Firewall deployments running recent versions of Sophos Firewall OS (SFOS) and are designed to help administrators build confidence when working in production environments.
Quick Answer: What Is the Sophos Firewall CLI?
The Sophos Firewall Command-Line Interface (CLI) is a text-based management environment that allows administrators to configure, monitor, troubleshoot, and maintain Sophos Firewall appliances using console or SSH access. It provides access to diagnostic tools, system information, networking utilities, packet capture, VPN troubleshooting, routing verification, high availability management, and advanced Linux shell capabilities that complement the graphical user interface.
Why Learning the CLI Still Matters
Modern firewalls have evolved far beyond simple packet filtering devices. Today’s enterprise firewalls perform:
- Stateful inspection
- Deep packet inspection (DPI)
- Intrusion Prevention System (IPS)
- SSL/TLS inspection
- SD-WAN path selection
- Web filtering
- Application control
- Zero Trust enforcement
- Site-to-site VPN
- Remote access VPN
- High Availability (HA)
- Identity-aware firewall policies
Consequently, troubleshooting has also become significantly more complex. A web dashboard may indicate that traffic is blocked, but the CLI often reveals why it is blocked by exposing routing decisions, session information, kernel statistics, packet captures, and daemon logs.
For experienced administrators, the CLI is not a replacement for the GUI—it is the fastest path to understanding how the firewall is behaving internally.
What Is Sophos Firewall CLI?
The Sophos Firewall CLI is an interactive command environment that provides administrative access to the operating system and firewall services. It enables administrators to inspect configurations, verify network behavior, diagnose problems, collect debugging information, and perform maintenance tasks.
Unlike many traditional Linux distributions, Sophos Firewall provides a structured CLI with menu-driven administration as well as advanced shell access for diagnostic operations.
Primary CLI Capabilities
The CLI enables administrators to:
- Display system information
- Monitor CPU and memory utilization
- Review interface status
- Verify routing tables
- Check DNS resolution
- Test network connectivity
- Diagnose VPN tunnels
- Inspect firewall sessions
- Capture packets
- View system logs
- Monitor HA synchronization
- Restart services when required
- Perform advanced troubleshooting
Because these capabilities operate independently of the web interface, administrators can continue diagnosing issues even when the GUI becomes unavailable.
Sophos Firewall CLI vs GUI
Although both interfaces manage the same appliance, they serve different operational purposes.
| Feature | Web GUI | CLI |
|---|---|---|
| Initial deployment | Excellent | Limited |
| Firewall policy management | Excellent | Limited |
| VPN configuration | Excellent | Limited |
| Monitoring | Good | Excellent |
| Troubleshooting | Moderate | Excellent |
| Packet capture | Basic | Advanced |
| Performance analysis | Moderate | Excellent |
| Routing verification | Moderate | Excellent |
| Debugging | Limited | Excellent |
| Service diagnostics | Limited | Excellent |
When Should You Use the CLI?
The CLI becomes particularly valuable in situations such as:
- VPN tunnels refuse to establish.
- Internet access suddenly stops.
- Dynamic routing behaves unexpectedly.
- High Availability fails over unexpectedly.
- CPU utilization spikes.
- Memory usage remains unusually high.
- DNS resolution fails.
- Packet forwarding appears inconsistent.
- Session tables require inspection.
- The graphical interface becomes inaccessible.
In practice, experienced engineers often begin with the GUI to obtain a high-level view before moving to the CLI for detailed analysis.
Methods to Access the Sophos Firewall CLI
Sophos Firewall supports multiple management methods depending on the deployment scenario.
SSH Access
SSH is the preferred method for remote administration.
Typical workflow:
- Enable SSH administration.
- Verify management access rules.
- Connect using an SSH client.
- Authenticate with administrator credentials.
SSH provides encrypted remote access and is suitable for production environments.
Console Access
Console access is useful when:
- Initial deployment is being performed.
- Network connectivity is unavailable.
- Administrator credentials require recovery.
- Major troubleshooting is necessary.
Console access is commonly performed through:
- Physical console cable
- Hypervisor console
- Remote KVM
- Virtual machine console
Web Administration Terminal
Some maintenance tasks can also be initiated from the web administration environment, although full diagnostic capabilities are generally available only through the CLI.
Understanding Sophos Firewall CLI Modes
One aspect that distinguishes Sophos Firewall from many other enterprise firewalls is its layered command environment.
Administrators typically interact with three operational levels.
Console Menu
The default CLI presents a menu-driven interface that simplifies common administrative tasks.
Typical functions include:
- Network configuration
- Password management
- Firmware management
- Appliance reboot
- Factory reset
- Backup operations
- Diagnostics
This interface is particularly useful for junior administrators or emergency recovery scenarios.
Advanced CLI
Advanced CLI mode provides access to operational commands that expose firewall status, interfaces, routing, VPN information, logs, and diagnostic utilities.
This is where administrators spend most of their troubleshooting time.
Expert Mode
Expert Mode provides controlled Linux shell access.
This environment is intended primarily for advanced diagnostics rather than routine configuration.
Typical activities include:
- Advanced packet capture
- Process monitoring
- Log analysis
- Linux networking tools
- File inspection
- Temporary troubleshooting
Because Expert Mode exposes the underlying operating system, administrators should exercise caution and avoid making unsupported modifications.
Best Practices Before Running CLI Commands
Working directly from the command line offers tremendous flexibility, but production firewalls require disciplined operational practices.
Verify Administrative Access
Before beginning troubleshooting:
- Confirm administrator privileges.
- Use named administrator accounts.
- Avoid shared credentials.
- Record administrative sessions whenever possible.
Know the Production Environment
Understand:
- Interface naming conventions
- Routing topology
- VLAN assignments
- VPN architecture
- HA design
- SD-WAN policies
Without architectural awareness, command output may be misleading.
Collect Baseline Information
Before making changes, document:
- Current CPU usage
- Memory utilization
- Interface status
- Active sessions
- VPN status
- Routing table
A baseline simplifies post-change verification.
Avoid Unsupported Changes
Expert Mode should primarily be used for observation and diagnostics.
Direct modifications to the underlying operating system may:
- Be overwritten during upgrades
- Break vendor support
- Cause configuration inconsistencies
- Affect firewall stability
Schedule Maintenance Windows
Whenever commands could interrupt production traffic, perform maintenance during approved change windows and ensure rollback procedures are available.
The 75 Essential Sophos CLI Commands
The commands in this guide are grouped into logical administrative categories to reflect how firewall engineers troubleshoot production environments.
The first section focuses on foundational system and networking commands that every Sophos administrator should master.
Category 1: System Information Commands
Command 1: Display System Version
Purpose
Displays the installed Sophos Firewall OS version and software build.
Syntax
system diagnostics show version-info Example
system diagnostics show version-info When to Use
- Confirm firmware version
- Validate upgrade success
- Troubleshoot version-specific issues
- Open vendor support cases
Command 2: Display Appliance Information
Purpose
Shows hardware model and appliance details.
Syntax
system diagnostics show appliance-info Example
system diagnostics show appliance-info Common Uses
- Inventory validation
- Hardware verification
- Support documentation
Command 3: Display System Uptime
Purpose
Verifies how long the firewall has been running since the last reboot.
Syntax
system diagnostics show uptime Example
system diagnostics show uptime Practical Scenario
Unexpected uptime resets often indicate power failures, watchdog reboots, or system instability.
Command 4: Display Current Date and Time
Purpose
Confirms system clock synchronization.
Syntax
date Example
date Accurate system time is essential for:
- VPN authentication
- Certificate validation
- Syslog correlation
- Security investigations
Command 5: Display Hostname
Purpose
Shows the configured appliance hostname.
Syntax
hostname Example
hostname Administrators commonly verify this information before making changes in environments containing multiple firewalls.
Category 2: Resource Monitoring Commands
Command 6: Display CPU Utilization
Purpose
Shows current processor utilization.
Syntax
top Example
top Typical Uses
- Investigate performance degradation
- Detect excessive IPS activity
- Monitor traffic spikes
- Validate firewall health
Command 7: Display Memory Usage
Purpose
Displays RAM utilization.
Syntax
free -h Example
free -h High memory consumption over extended periods may indicate abnormal application behavior or unusually high session counts.
Command 8: Display Running Processes
Purpose
Lists currently running processes.
Syntax
ps aux Example
ps aux Useful when identifying resource-intensive services or confirming daemon operation.
Category 3: Network Interface Commands
Command 9: Display Interface Status
Purpose
Displays interface operational state.
Syntax
ifconfig Example
ifconfig Common Uses
- Verify link status
- Confirm assigned IP addresses
- Validate MTU settings
- Check interface statistics
Command 10: Display IP Address Configuration
Syntax
ip addr show Example
ip addr show This command provides a concise view of interface addressing, making it useful when validating new deployments or troubleshooting connectivity.
Command 11: Display Interface Statistics
Syntax
ip -s link Example
ip -s link Administrators often review packet counters, errors, drops, and collisions to identify physical or logical interface issues.
Category 4: Connectivity Testing Commands
Command 12: Ping Remote Host
Purpose
Tests basic IP connectivity.
Syntax
ping <destination> Example
ping 8.8.8.8 Best Practice
Always test both:
- Public IP addresses
- Internal gateways
This helps distinguish routing issues from DNS problems.
Command 13: Trace Network Path
Syntax
traceroute <destination> Example
traceroute 8.8.8.8 Traceroute helps determine where packets stop traversing the network and is invaluable during WAN and ISP troubleshooting.
Command 14: Test DNS Resolution
Syntax
nslookup example.com Example
nslookup example.com If this command fails while pinging an IP address succeeds, the issue is likely related to DNS configuration rather than IP connectivity.
Command 15: Verify Default Gateway Reachability
Syntax
ping <gateway-ip> Example
ping 192.168.1.1 This simple test is often the quickest way to determine whether the firewall can communicate with its next-hop router.
Category 5: Routing Commands
Understanding how the firewall makes forwarding decisions is one of the most important troubleshooting skills for any network engineer. Even when firewall policies are configured correctly, an incorrect routing table or policy route can prevent traffic from reaching its destination. Consequently, routing verification should always be part of your troubleshooting workflow.
Command 16: Display the Routing Table
Purpose
Displays all active routes installed in the firewall.
Syntax
ip route show Example
ip route show When to Use
- Verify static routes
- Confirm dynamic routing advertisements
- Troubleshoot asymmetric routing
- Validate default gateway configuration
Expected Output
The command displays:
- Default route
- Connected networks
- Static routes
- Learned routes
- Route metrics
- Next-hop gateways
Command 17: Display the Default Route
Purpose
Shows the default gateway currently used by the firewall.
Syntax
ip route | grep default Example
ip route | grep default Practical Scenario
If users report that internet access has stopped while internal communication remains functional, verifying the default route is one of the first diagnostic steps.
Command 18: View the Kernel Routing Table
Purpose
Displays routing information maintained by the Linux kernel.
Syntax
route -n Example
route -n Common Mistakes
Many administrators assume a configured route is automatically active. However, interface failures or routing changes may prevent it from appearing in the kernel routing table.
Command 19: Display Neighbor (ARP) Table
Purpose
Shows MAC address mappings for connected devices.
Syntax
ip neigh Example
ip neigh When to Use
- Gateway unreachable
- Duplicate IP detection
- Layer 2 troubleshooting
- MAC address verification
Command 20: Test Connectivity Through a Specific Interface
Purpose
Verifies connectivity using a selected interface.
Syntax
ping -I <interface> <destination> Example
ping -I Port2 8.8.8.8 Best Practice
This command is particularly useful in SD-WAN and multi-WAN environments where multiple internet connections exist.
Category 6: DNS and DHCP Commands
DNS issues frequently appear to be firewall problems. Therefore, verifying name resolution before investigating firewall rules can save considerable troubleshooting time.
Command 21: Display DNS Configuration
Purpose
Shows configured DNS servers.
Syntax
cat /etc/resolv.conf Example
cat /etc/resolv.conf Typical Uses
- Validate DNS configuration
- Confirm DNS changes
- Troubleshoot resolution failures
Command 22: Query DNS Records
Purpose
Queries DNS records from a DNS server.
Syntax
dig example.com Example
dig google.com Practical Uses
- Verify authoritative responses
- Check public DNS
- Validate split DNS
- Test DNSSEC responses
Command 23: Display DHCP Lease Information
Purpose
Shows DHCP lease details.
Syntax
cat /tmp/dhcp.leases Example
cat /tmp/dhcp.leases Useful For
- Client troubleshooting
- IP allocation verification
- Lease expiration analysis
Command 24: Display Active Host Entries
Purpose
Lists hosts currently known by the firewall.
Syntax
arp -a Example
arp -a Command 25: Test External DNS Server
Purpose
Verifies internet DNS reachability.
Syntax
nslookup openai.com 8.8.8.8 Example
nslookup openai.com 8.8.8.8 Best Practice
Always compare results using:
- Internal DNS
- External DNS
- ISP DNS
This quickly isolates where resolution is failing.
Category 7: NAT Commands
Network Address Translation (NAT) issues often result in successful firewall rule matches while traffic still fails to reach its destination. Verifying NAT behavior is therefore essential during connectivity troubleshooting.
Command 26: Display Current NAT Sessions
Purpose
Shows active translated sessions.
Syntax
conntrack -L Example
conntrack -L Common Uses
- Verify outbound NAT
- Validate PAT translations
- Investigate session persistence
Command 27: Search NAT Session for an IP Address
Purpose
Filters connection tracking information.
Syntax
conntrack -L | grep 192.168.10.25 Example
conntrack -L | grep 192.168.10.25 Command 28: Monitor Connection Tracking Statistics
Purpose
Displays connection tracking statistics.
Syntax
cat /proc/sys/net/netfilter/nf_conntrack_count Example
cat /proc/sys/net/netfilter/nf_conntrack_count Why It Matters
Connection tracking exhaustion can cause intermittent connectivity even when firewall rules appear correct.
Command 29: Display Maximum Connection Tracking Limit
Syntax
cat /proc/sys/net/netfilter/nf_conntrack_max Example
cat /proc/sys/net/netfilter/nf_conntrack_max Administrators should compare the current connection count against the configured maximum to determine whether session limits are approaching capacity.
Command 30: Display Active Network Connections
Purpose
Displays established TCP and UDP connections.
Syntax
netstat -an Example
netstat -an Category 8: VPN Commands
Virtual Private Networks are among the most common sources of support requests. Fortunately, the CLI provides detailed visibility into tunnel establishment, negotiation, and operational status.
Command 31: Display IPSec Tunnel Status
Purpose
Displays active IPSec tunnels.
Syntax
ipsec status Example
ipsec status When to Use
- Verify tunnel establishment
- Confirm active Security Associations
- Troubleshoot VPN outages
Command 32: Restart IPSec Service
Purpose
Restarts IPSec services.
Syntax
service ipsec restart Example
service ipsec restart Caution
Restarting the IPSec service disconnects all active tunnels. Schedule maintenance appropriately.
Command 33: Display IPSec Security Associations
Purpose
Shows active Security Associations (SAs).
Syntax
ip xfrm state Example
ip xfrm state Typical Uses
- Verify Phase 2 negotiation
- Confirm encryption parameters
- Validate tunnel lifetime
Command 34: Display IPSec Policies
Purpose
Shows active IPSec policies.
Syntax
ip xfrm policy Example
ip xfrm policy Command 35: Verify VPN Connectivity
Purpose
Tests communication across the VPN tunnel.
Syntax
ping <remote-private-ip> Example
ping 10.10.10.1 Best Practice
Successful tunnel establishment does not always guarantee traffic forwarding. Always verify application connectivity after confirming tunnel status.
Category 9: High Availability (HA) Commands
High Availability ensures business continuity by providing redundancy between firewall appliances. Monitoring synchronization and failover status is therefore essential in enterprise deployments.
Command 36: Display HA Status
Purpose
Displays cluster status.
Syntax
show high-availability status Example
show high-availability status Verify
- Active node
- Passive node
- Synchronization state
- Cluster health
Command 37: Verify HA Synchronization
Purpose
Checks synchronization between cluster members.
Syntax
show high-availability synchronization Example
show high-availability synchronization Command 38: Display Heartbeat Status
Purpose
Shows heartbeat communication between appliances.
Syntax
show high-availability heartbeat Example
show high-availability heartbeat Command 39: Display Cluster Interfaces
Purpose
Lists interfaces participating in HA.
Syntax
show high-availability interfaces Example
show high-availability interfaces Command 40: Display HA Configuration
Purpose
Displays HA configuration details.
Syntax
show high-availability configuration Example
show high-availability configuration Category 10: Firewall and Packet Diagnostics
Firewall troubleshooting extends beyond verifying policy rules. Packet visibility, session inspection, and interface statistics are equally important when diagnosing production issues.
Command 41: Start Packet Capture
Purpose
Captures packets traversing an interface.
Syntax
tcpdump -i Port1 Example
tcpdump -i Port1 Practical Uses
- Verify packet arrival
- Confirm packet forwarding
- Analyze TCP handshakes
- Detect retransmissions
Command 42: Capture Traffic for a Specific Host
Syntax
tcpdump host 192.168.1.100 Example
tcpdump host 192.168.1.100 Filtering captures significantly reduces unnecessary output during troubleshooting.
Command 43: Capture Traffic on a Specific Port
Syntax
tcpdump port 443 Example
tcpdump port 443 Common ports include:
- 80 (HTTP)
- 443 (HTTPS)
- 53 (DNS)
- 22 (SSH)
- 25 (SMTP)
- 3389 (RDP)
Command 44: Save Packet Capture to a File
Purpose
Stores packets for later analysis.
Syntax
tcpdump -i Port1 -w capture.pcap Example
tcpdump -i Port1 -w vpn_issue.pcap The resulting PCAP file can be analyzed using Wireshark for deep packet inspection.
Command 45: Display Interface Packet Counters
Purpose
Displays packet statistics.
Syntax
ip -s link show Example
ip -s link show Monitor
- Received packets
- Transmitted packets
- Errors
- Drops
- Overruns
- Carrier issues
Real-World Troubleshooting Workflow: Internet Access Failure
Instead of executing commands randomly, experienced firewall administrators follow a structured troubleshooting methodology.
| Step | Verification | Recommended Command |
|---|---|---|
| 1 | Interface status | ifconfig |
| 2 | IP configuration | ip addr show |
| 3 | Default gateway | ip route show |
| 4 | Gateway reachability | ping <gateway> |
| 5 | DNS resolution | nslookup |
| 6 | NAT sessions | conntrack -L |
| 7 | Active connections | netstat -an |
| 8 | Packet capture | tcpdump |
Following this sequence helps isolate the problem efficiently while minimizing unnecessary configuration changes.
Expert Tips for CLI Troubleshooting
As environments grow more complex, adopting disciplined troubleshooting habits becomes increasingly important.
Always Establish a Baseline
Before making changes, collect:
- CPU utilization
- Memory usage
- Interface counters
- Routing table
- VPN status
- Active sessions
This information provides valuable context if conditions worsen after a configuration change.
Verify Each Network Layer
Avoid assuming the firewall is at fault. Instead, validate:
- Physical connectivity
- Interface configuration
- Layer 2 adjacency
- Routing
- DNS
- NAT
- Firewall policy
- Application behavior
This layered approach aligns with the OSI model and significantly reduces troubleshooting time.
Capture Before Restarting Services
Restarting services may temporarily resolve symptoms but also removes valuable diagnostic evidence. Whenever possible, gather logs, session information, and packet captures before restarting VPN or networking services.
Category 11: Logging Commands
Logs are often the fastest way to determine why traffic was permitted, denied, or dropped. While the Sophos Firewall GUI provides searchable log views, the CLI allows administrators to inspect log files directly and monitor events in real time.
Command 46: View the System Log
Purpose
Displays general operating system and firewall events.
Syntax
tail /log/system.log Example
tail /log/system.log When to Use
- Investigate unexpected system behavior
- Review service startup events
- Identify hardware-related warnings
- Verify configuration changes
Command 47: Monitor the System Log in Real Time
Purpose
Continuously displays new log entries as they are written.
Syntax
tail -f /log/system.log Example
tail -f /log/system.log Best Practice
Open a second SSH session while reproducing an issue so you can observe log entries as they occur.
Command 48: Search Log Files for Specific Keywords
Purpose
Filters log output for relevant events.
Syntax
grep "ERROR" /log/system.log Example
grep "ipsec" /log/system.log Practical Uses
- Locate VPN errors
- Find service failures
- Search authentication events
- Investigate routing changes
Command 49: Display Recent Log Entries
Purpose
Displays the most recent records from a log file.
Syntax
tail -100 /log/system.log Example
tail -100 /log/system.log Command 50: View Authentication Logs
Purpose
Displays authentication-related events.
Syntax
tail /log/auth.log Example
tail /log/auth.log Typical Scenarios
- Failed administrator login
- LDAP authentication issues
- RADIUS failures
- VPN user authentication problems
Category 12: Authentication Commands
Identity-based firewall policies rely on successful communication with authentication services such as Active Directory, LDAP, and RADIUS. Consequently, verifying authentication status is a critical troubleshooting task.
Command 51: Test DNS Before Authentication
Purpose
Confirms that domain controllers and authentication servers are reachable.
Syntax
nslookup company.local Example
nslookup ad.company.local Command 52: Verify Network Connectivity to Authentication Server
Purpose
Tests communication with LDAP or RADIUS servers.
Syntax
ping <authentication-server> Example
ping 192.168.100.10 Command 53: Test Port Connectivity
Purpose
Checks whether required authentication ports are accessible.
Syntax
nc -zv <server> <port> Example
nc -zv 192.168.100.10 389 Common Ports
- 389 – LDAP
- 636 – LDAPS
- 1812 – RADIUS
- 1813 – RADIUS Accounting
- 88 – Kerberos
Command 54: View Active User Sessions
Purpose
Displays currently logged-in users.
Syntax
who Example
who Command 55: Display Current User
Purpose
Shows the currently authenticated CLI user.
Syntax
whoami Example
whoami Category 13: Performance Monitoring Commands
Performance bottlenecks may originate from hardware limitations, excessive traffic, IPS processing, or abnormal session growth. Regular monitoring helps identify problems before they impact users.
Command 56: Display Disk Usage
Purpose
Shows available disk space.
Syntax
df -h Example
df -h Why It Matters
Insufficient disk space can affect:
- Logging
- Firmware upgrades
- Backups
- Reporting
Command 57: Display Directory Usage
Purpose
Shows storage consumption by directories.
Syntax
du -sh /log/* Example
du -sh /log/* Command 58: Display Network Socket Statistics
Purpose
Shows active network sockets.
Syntax
ss -tuln Example
ss -tuln Useful For
- Verifying listening services
- Troubleshooting application connectivity
- Confirming service availability
Command 59: Display Network Statistics
Purpose
Displays interface statistics.
Syntax
netstat -i Example
netstat -i Command 60: Monitor Processes Continuously
Purpose
Provides a live view of system resource usage.
Syntax
top Example
top Best Practice
Monitor CPU utilization while reproducing high-load scenarios such as IPS processing or VPN establishment.
Category 14: Firmware and System Maintenance Commands
Routine maintenance reduces operational risk and improves firewall stability.
Command 61: Reboot the Firewall
Purpose
Restarts the appliance.
Syntax
reboot Example
reboot Caution
Always schedule production reboots during approved maintenance windows.
Command 62: Shut Down the Firewall
Purpose
Performs a graceful shutdown.
Syntax
shutdown -h now Example
shutdown -h now Command 63: Display Mounted File Systems
Purpose
Displays mounted storage devices.
Syntax
mount Example
mount Command 64: Display System Environment
Purpose
Shows environment variables.
Syntax
env Example
env Command 65: Display Kernel Information
Purpose
Displays operating system kernel details.
Syntax
uname -a Example
uname -a Category 15: Backup and File Management Commands
Configuration backups are a fundamental component of disaster recovery planning. Administrators should verify that backups are created regularly and securely stored.
Command 66: Display Current Directory
Purpose
Shows the current working directory.
Syntax
pwd Example
pwd Command 67: List Files
Purpose
Displays files and directories.
Syntax
ls -lah Example
ls -lah Command 68: Copy Files
Purpose
Copies files between locations.
Syntax
cp source destination Example
cp backup.conf backup-old.conf Command 69: Move or Rename Files
Purpose
Moves or renames files.
Syntax
mv oldfile newfile Example
mv backup.conf backup-july.conf Command 70: Remove Temporary Files
Purpose
Deletes unnecessary files.
Syntax
rm filename Example
rm tempcapture.pcap Warning
Always verify the file path before deleting files. Accidental removal of important diagnostic files may complicate troubleshooting.
Category 16: Advanced Diagnostics and Expert Mode
Expert Mode provides access to the underlying Linux operating system. Although powerful, it should primarily be used for diagnostics rather than unsupported system modifications.
Command 71: Enter Expert Mode
Purpose
Accesses the advanced Linux shell.
Syntax
system shell Example
system shell Command 72: Display Kernel Messages
Purpose
Shows kernel-level events.
Syntax
dmesg Example
dmesg Typical Uses
- Driver issues
- Hardware failures
- Interface initialization
- Disk errors
Command 73: Display Loaded Kernel Modules
Purpose
Lists loaded Linux kernel modules.
Syntax
lsmod Example
lsmod Command 74: Display Running Services
Purpose
Shows active system services.
Syntax
service --status-all Example
service --status-all Command 75: Display Open Files
Purpose
Shows files currently opened by running processes.
Syntax
lsof Example
lsof Practical Uses
- Troubleshoot locked files
- Identify log file usage
- Investigate disk activity
Real-World Troubleshooting Workflows
Experienced firewall administrators rarely rely on a single command. Instead, they follow structured workflows that progressively eliminate potential causes.
Workflow 1: IPSec VPN Tunnel Will Not Establish
| Step | Objective | Recommended Command |
|---|---|---|
| 1 | Verify interface connectivity | ping <peer-ip> |
| 2 | Confirm routing | ip route show |
| 3 | Check DNS (if FQDN peer) | nslookup |
| 4 | Review IPSec status | ipsec status |
| 5 | Verify Security Associations | ip xfrm state |
| 6 | Inspect logs | grep "ipsec" |
| 7 | Capture packets | tcpdump |
Workflow 2: Users Cannot Access the Internet
| Step | Objective |
|---|---|
| Verify interface status | |
| Confirm IP addressing | |
| Validate default gateway | |
| Test gateway reachability | |
| Verify DNS | |
| Inspect NAT sessions | |
| Review firewall logs | |
| Capture outbound traffic |
Workflow 3: High CPU Utilization
- Monitor CPU using
top. - Review running processes.
- Check active sessions.
- Verify IPS activity.
- Examine VPN load.
- Inspect logging volume.
- Review packet captures if necessary.
Daily Health Check Checklist
A proactive daily health check can identify developing issues before they become outages.
| Item | Recommended Verification |
|---|---|
| CPU utilization | Below expected operational threshold |
| Memory utilization | Stable with sufficient free memory |
| Disk usage | Adequate free space |
| Interface status | No errors or drops |
| VPN tunnels | All critical tunnels established |
| HA synchronization | Fully synchronized |
| DNS resolution | Successful |
| Routing table | Correct default route |
| System logs | No recurring critical errors |
| Active sessions | Within normal operational range |
Security Hardening Recommendations
Operational excellence extends beyond troubleshooting. Administrators should also implement security best practices to protect firewall management interfaces.
Restrict Administrative Access
Limit SSH access to trusted management networks and avoid exposing administrative interfaces to the public Internet.
Use Multi-Factor Authentication
Where supported, integrate administrator accounts with MFA through directory services or identity providers.
Disable Unused Services
Reduce the attack surface by disabling services that are not required for production operations.
Apply Firmware Updates Promptly
Regular firmware updates address security vulnerabilities, improve performance, and enhance platform stability.
Centralize Logging
Forward logs to a centralized SIEM or Syslog server to support long-term retention, compliance, and incident response.
GUI vs CLI Comparison
| Administrative Task | GUI | CLI |
|---|---|---|
| Firewall Policy Management | Excellent | Limited |
| VPN Configuration | Excellent | Moderate |
| Diagnostics | Moderate | Excellent |
| Packet Capture | Basic | Advanced |
| Routing Analysis | Moderate | Excellent |
| Performance Monitoring | Good | Excellent |
| Service Debugging | Limited | Excellent |
| Log Investigation | Good | Excellent |
Sophos CLI Quick Reference
| Category | Commands Covered |
|---|---|
| System Information | 1–5 |
| Performance Monitoring | 6–8, 56–60 |
| Interfaces | 9–15 |
| Routing | 16–20 |
| DNS & DHCP | 21–25 |
| NAT | 26–30 |
| VPN | 31–35 |
| High Availability | 36–40 |
| Packet Capture | 41–45 |
| Logging | 46–50 |
| Authentication | 51–55 |
| System Maintenance | 61–65 |
| File Management | 66–70 |
| Expert Mode | 71–75 |
Frequently Asked Questions
What is the Sophos Firewall CLI?
The Sophos Firewall Command-Line Interface (CLI) is a text-based management environment that allows administrators to configure, monitor, troubleshoot, and maintain Sophos Firewall appliances. It complements the web interface by providing direct access to diagnostics, routing information, packet captures, logs, and advanced system utilities.
How do I access the Sophos Firewall CLI?
You can access the CLI using one of the following methods:
- SSH from a trusted management workstation
- Physical console connection
- Hypervisor console for virtual appliances
- Remote KVM or out-of-band management console
For production environments, SSH is generally the preferred method because it provides secure, encrypted remote administration.
What is Expert Mode in Sophos Firewall?
Expert Mode provides controlled access to the underlying Linux operating system. It is intended primarily for advanced troubleshooting, diagnostics, log analysis, and packet capture rather than routine configuration changes.
Is it safe to use Expert Mode?
Yes, when used appropriately. Administrators should limit Expert Mode activities to diagnostics and avoid unsupported modifications to system files or services, as such changes may affect stability, upgrades, or vendor support.
How do I verify whether a VPN tunnel is active?
The most common approach is to:
- Check IPSec tunnel status.
- Verify Security Associations (SAs).
- Confirm routing.
- Test connectivity across the tunnel.
- Review VPN-related logs.
- Capture packets if necessary.
Following this sequence provides a structured troubleshooting methodology rather than relying on guesswork.
Which CLI command is most useful for troubleshooting?
There is no single “best” command. Experienced administrators typically combine several commands depending on the problem. Common examples include:
- Interface verification
- Routing table inspection
- Packet capture
- System logs
- Connection tracking
- CPU and memory monitoring
The right command depends on whether the issue involves networking, authentication, VPNs, firewall policies, or system performance.
Can I configure the entire firewall from the CLI?
Sophos Firewall is primarily designed for GUI-based configuration. While the CLI provides extensive diagnostic capabilities and supports selected administrative tasks, most policy configuration, security settings, and deployment activities are performed through the web interface.
Why use the CLI if the GUI already exists?
The CLI provides several advantages:
- Faster diagnostics
- Detailed packet analysis
- Advanced troubleshooting
- Real-time log monitoring
- Service-level visibility
- Better insight into routing and session handling
Consequently, most experienced firewall engineers use both interfaces together.
How do I monitor firewall performance?
A complete health assessment typically includes:
- CPU utilization
- Memory consumption
- Interface statistics
- Session count
- Disk usage
- VPN status
- High Availability synchronization
- System logs
Reviewing these metrics regularly helps identify developing issues before they impact production services.
How often should firewall administrators perform health checks?
Many organizations perform:
| Environment | Recommended Frequency |
|---|---|
| Small Business | Weekly |
| Medium Enterprise | Daily |
| Large Enterprise | Daily or multiple times per day |
| Security Operations Center (SOC) | Continuous monitoring |
Can Sophos Firewall CLI help troubleshoot SD-WAN issues?
Yes. Although SD-WAN policies are primarily managed through the graphical interface, the CLI is invaluable for validating:
- Interface availability
- Gateway reachability
- Routing decisions
- Packet forwarding
- DNS resolution
- VPN tunnel health
- WAN connectivity
What tools should every Sophos administrator master?
Experienced administrators should be comfortable with:
- SSH
- Packet capture
- Log analysis
- Route verification
- DNS testing
- Session inspection
- VPN diagnostics
- Resource monitoring
These capabilities significantly reduce troubleshooting time during production incidents.
Common Mistakes to Avoid
Even experienced administrators occasionally make errors that prolong troubleshooting or introduce unnecessary risk. Avoiding these common mistakes can improve operational efficiency and reduce downtime.
Restarting Services Too Early
Restarting VPN, routing, or authentication services before collecting evidence may temporarily resolve symptoms while eliminating valuable diagnostic information.
Recommendation: Capture logs, packet traces, and system statistics before restarting services.
Ignoring Routing
Many connectivity problems are caused by incorrect routing rather than firewall rules.
Recommendation: Always verify the routing table before modifying security policies.
Assuming DNS Is Working
Users often report that “the Internet is down” when the actual problem is DNS resolution.
Recommendation: Test both IP connectivity and DNS resolution separately.
Skipping Packet Capture
Packet captures provide objective evidence of packet flow and should be part of every major troubleshooting exercise.
Working Without Change Control
Production firewalls protect critical business services.
Always:
- Document changes.
- Obtain approvals.
- Schedule maintenance windows.
- Verify rollback procedures.
- Record pre-change baselines.
Best Practices for Enterprise Firewall Administration
Organizations with mature network operations generally follow standardized operational procedures.
Standardize Troubleshooting
Develop documented troubleshooting workflows for:
- Internet outages
- VPN failures
- Authentication issues
- High CPU utilization
- High memory usage
- Routing failures
- High Availability failover
Standardization improves consistency across operational teams.
Maintain Configuration Backups
Backups should be:
- Automated
- Version-controlled
- Securely stored
- Periodically tested through restoration exercises
Monitor Continuously
Rather than reacting to user complaints, monitor:
- CPU utilization
- Memory usage
- Interface errors
- VPN availability
- Session growth
- Disk capacity
- Log anomalies
Proactive monitoring significantly reduces operational risk.
Keep Documentation Current
Maintain documentation covering:
- Interface assignments
- VLANs
- IP addressing
- VPN topology
- Dynamic routing
- NAT policies
- High Availability architecture
- Administrative procedures
Accurate documentation accelerates troubleshooting and simplifies onboarding.
Final Thoughts
Sophos Firewall combines a powerful graphical management interface with a highly capable command-line environment. While the GUI is ideal for day-to-day administration and policy management, the CLI remains indispensable for diagnostics, troubleshooting, performance analysis, and operational visibility.
The 75 commands presented throughout this guide represent the foundation of a practical operational toolkit used by experienced network and security professionals. More importantly, effective troubleshooting depends not only on knowing individual commands but also on understanding when and how to combine them within structured workflows.
As enterprise networks continue to adopt Zero Trust architectures, hybrid cloud connectivity, SD-WAN, encrypted traffic inspection, and increasingly complex security controls, firewall administrators must develop both technical depth and disciplined operational practices. Mastering the Sophos CLI enables faster incident resolution, more accurate diagnostics, and greater confidence when managing critical production environments.
Whether you are responsible for a single branch office firewall or a globally distributed security infrastructure, investing time in learning the Sophos CLI will improve operational efficiency and strengthen your ability to maintain secure, resilient, and highly available network services.
Key Takeaways
- The Sophos Firewall CLI complements the graphical interface with advanced diagnostic capabilities.
- Mastering CLI commands significantly improves troubleshooting efficiency.
- Routing, DNS, NAT, VPN, and packet capture should be verified before modifying firewall policies.
- Expert Mode is intended for diagnostics and should be used carefully.
- Daily health checks help identify issues before they affect production.
- Structured troubleshooting workflows are more effective than isolated command execution.
- Configuration backups, centralized logging, and documentation are essential operational practices.
- Combining CLI expertise with sound change management enhances both security and reliability.

