Sophos CLI Commands: 75 Essential Commands Every Firewall Administrator Should Know (2026 Guide)

Sophos Firewall CLI terminal displaying essential firewall administration and troubleshooting commands on a Sophos XGS appliance.

If you manage a Sophos Firewall in a production environment, the graphical interface is only part of the administration toolkit. While the web console simplifies day-to-day configuration, experienced firewall administrators know that the command-line interface (CLI) remains indispensable for troubleshooting, diagnostics, maintenance, and advanced system operations.

Whether you’re investigating a VPN outage, validating routing behavior, collecting packet captures, monitoring system resources, or performing advanced diagnostics, the Sophos Firewall CLI provides direct access to information that is often unavailable—or less efficient to obtain—from the graphical interface.

This comprehensive guide covers 75 essential Sophos CLI commands organized by real-world administrative tasks. Rather than presenting a simple command list, each command includes its purpose, syntax, practical example, recommended use cases, and operational considerations. Throughout the guide, you’ll also learn troubleshooting methodologies, security best practices, and operational workflows used by enterprise network engineers, managed service providers (MSPs), and security operations teams.

The examples are applicable to modern Sophos Firewall deployments running recent versions of Sophos Firewall OS (SFOS) and are designed to help administrators build confidence when working in production environments.

Quick Answer: What Is the Sophos Firewall CLI?

The Sophos Firewall Command-Line Interface (CLI) is a text-based management environment that allows administrators to configure, monitor, troubleshoot, and maintain Sophos Firewall appliances using console or SSH access. It provides access to diagnostic tools, system information, networking utilities, packet capture, VPN troubleshooting, routing verification, high availability management, and advanced Linux shell capabilities that complement the graphical user interface.

Why Learning the CLI Still Matters

Modern firewalls have evolved far beyond simple packet filtering devices. Today’s enterprise firewalls perform:

  • Stateful inspection
  • Deep packet inspection (DPI)
  • Intrusion Prevention System (IPS)
  • SSL/TLS inspection
  • SD-WAN path selection
  • Web filtering
  • Application control
  • Zero Trust enforcement
  • Site-to-site VPN
  • Remote access VPN
  • High Availability (HA)
  • Identity-aware firewall policies

Consequently, troubleshooting has also become significantly more complex. A web dashboard may indicate that traffic is blocked, but the CLI often reveals why it is blocked by exposing routing decisions, session information, kernel statistics, packet captures, and daemon logs.

For experienced administrators, the CLI is not a replacement for the GUI—it is the fastest path to understanding how the firewall is behaving internally.

What Is Sophos Firewall CLI?

The Sophos Firewall CLI is an interactive command environment that provides administrative access to the operating system and firewall services. It enables administrators to inspect configurations, verify network behavior, diagnose problems, collect debugging information, and perform maintenance tasks.

Unlike many traditional Linux distributions, Sophos Firewall provides a structured CLI with menu-driven administration as well as advanced shell access for diagnostic operations.

Primary CLI Capabilities

The CLI enables administrators to:

  • Display system information
  • Monitor CPU and memory utilization
  • Review interface status
  • Verify routing tables
  • Check DNS resolution
  • Test network connectivity
  • Diagnose VPN tunnels
  • Inspect firewall sessions
  • Capture packets
  • View system logs
  • Monitor HA synchronization
  • Restart services when required
  • Perform advanced troubleshooting

Because these capabilities operate independently of the web interface, administrators can continue diagnosing issues even when the GUI becomes unavailable.

Sophos Firewall CLI vs GUI

Although both interfaces manage the same appliance, they serve different operational purposes.

FeatureWeb GUICLI
Initial deploymentExcellentLimited
Firewall policy managementExcellentLimited
VPN configurationExcellentLimited
MonitoringGoodExcellent
TroubleshootingModerateExcellent
Packet captureBasicAdvanced
Performance analysisModerateExcellent
Routing verificationModerateExcellent
DebuggingLimitedExcellent
Service diagnosticsLimitedExcellent

When Should You Use the CLI?

The CLI becomes particularly valuable in situations such as:

  • VPN tunnels refuse to establish.
  • Internet access suddenly stops.
  • Dynamic routing behaves unexpectedly.
  • High Availability fails over unexpectedly.
  • CPU utilization spikes.
  • Memory usage remains unusually high.
  • DNS resolution fails.
  • Packet forwarding appears inconsistent.
  • Session tables require inspection.
  • The graphical interface becomes inaccessible.

In practice, experienced engineers often begin with the GUI to obtain a high-level view before moving to the CLI for detailed analysis.

Methods to Access the Sophos Firewall CLI

Sophos Firewall supports multiple management methods depending on the deployment scenario.

SSH Access

SSH is the preferred method for remote administration.

Typical workflow:

  1. Enable SSH administration.
  2. Verify management access rules.
  3. Connect using an SSH client.
  4. Authenticate with administrator credentials.

SSH provides encrypted remote access and is suitable for production environments.

Console Access

Console access is useful when:

  • Initial deployment is being performed.
  • Network connectivity is unavailable.
  • Administrator credentials require recovery.
  • Major troubleshooting is necessary.

Console access is commonly performed through:

  • Physical console cable
  • Hypervisor console
  • Remote KVM
  • Virtual machine console

Web Administration Terminal

Some maintenance tasks can also be initiated from the web administration environment, although full diagnostic capabilities are generally available only through the CLI.

Understanding Sophos Firewall CLI Modes

One aspect that distinguishes Sophos Firewall from many other enterprise firewalls is its layered command environment.

Administrators typically interact with three operational levels.

Console Menu

The default CLI presents a menu-driven interface that simplifies common administrative tasks.

Typical functions include:

  • Network configuration
  • Password management
  • Firmware management
  • Appliance reboot
  • Factory reset
  • Backup operations
  • Diagnostics

This interface is particularly useful for junior administrators or emergency recovery scenarios.

Advanced CLI

Advanced CLI mode provides access to operational commands that expose firewall status, interfaces, routing, VPN information, logs, and diagnostic utilities.

This is where administrators spend most of their troubleshooting time.

Expert Mode

Expert Mode provides controlled Linux shell access.

This environment is intended primarily for advanced diagnostics rather than routine configuration.

Typical activities include:

  • Advanced packet capture
  • Process monitoring
  • Log analysis
  • Linux networking tools
  • File inspection
  • Temporary troubleshooting

Because Expert Mode exposes the underlying operating system, administrators should exercise caution and avoid making unsupported modifications.

Best Practices Before Running CLI Commands

Working directly from the command line offers tremendous flexibility, but production firewalls require disciplined operational practices.

Verify Administrative Access

Before beginning troubleshooting:

  • Confirm administrator privileges.
  • Use named administrator accounts.
  • Avoid shared credentials.
  • Record administrative sessions whenever possible.

Know the Production Environment

Understand:

  • Interface naming conventions
  • Routing topology
  • VLAN assignments
  • VPN architecture
  • HA design
  • SD-WAN policies

Without architectural awareness, command output may be misleading.

Collect Baseline Information

Before making changes, document:

  • Current CPU usage
  • Memory utilization
  • Interface status
  • Active sessions
  • VPN status
  • Routing table

A baseline simplifies post-change verification.

Avoid Unsupported Changes

Expert Mode should primarily be used for observation and diagnostics.

Direct modifications to the underlying operating system may:

  • Be overwritten during upgrades
  • Break vendor support
  • Cause configuration inconsistencies
  • Affect firewall stability

Schedule Maintenance Windows

Whenever commands could interrupt production traffic, perform maintenance during approved change windows and ensure rollback procedures are available.

The 75 Essential Sophos CLI Commands

The commands in this guide are grouped into logical administrative categories to reflect how firewall engineers troubleshoot production environments.

The first section focuses on foundational system and networking commands that every Sophos administrator should master.

Category 1: System Information Commands

Command 1: Display System Version

Purpose

Displays the installed Sophos Firewall OS version and software build.

Syntax

system diagnostics show version-info

Example

system diagnostics show version-info

When to Use

  • Confirm firmware version
  • Validate upgrade success
  • Troubleshoot version-specific issues
  • Open vendor support cases

Command 2: Display Appliance Information

Purpose

Shows hardware model and appliance details.

Syntax

system diagnostics show appliance-info

Example

system diagnostics show appliance-info

Common Uses

  • Inventory validation
  • Hardware verification
  • Support documentation

Command 3: Display System Uptime

Purpose

Verifies how long the firewall has been running since the last reboot.

Syntax

system diagnostics show uptime

Example

system diagnostics show uptime

Practical Scenario

Unexpected uptime resets often indicate power failures, watchdog reboots, or system instability.

Command 4: Display Current Date and Time

Purpose

Confirms system clock synchronization.

Syntax

date

Example

date

Accurate system time is essential for:

  • VPN authentication
  • Certificate validation
  • Syslog correlation
  • Security investigations

Command 5: Display Hostname

Purpose

Shows the configured appliance hostname.

Syntax

hostname

Example

hostname

Administrators commonly verify this information before making changes in environments containing multiple firewalls.

Category 2: Resource Monitoring Commands

Command 6: Display CPU Utilization

Purpose

Shows current processor utilization.

Syntax

top

Example

top

Typical Uses

  • Investigate performance degradation
  • Detect excessive IPS activity
  • Monitor traffic spikes
  • Validate firewall health

Command 7: Display Memory Usage

Purpose

Displays RAM utilization.

Syntax

free -h

Example

free -h

High memory consumption over extended periods may indicate abnormal application behavior or unusually high session counts.

Command 8: Display Running Processes

Purpose

Lists currently running processes.

Syntax

ps aux

Example

ps aux

Useful when identifying resource-intensive services or confirming daemon operation.

Category 3: Network Interface Commands

Command 9: Display Interface Status

Purpose

Displays interface operational state.

Syntax

ifconfig

Example

ifconfig

Common Uses

  • Verify link status
  • Confirm assigned IP addresses
  • Validate MTU settings
  • Check interface statistics

Command 10: Display IP Address Configuration

Syntax

ip addr show

Example

ip addr show

This command provides a concise view of interface addressing, making it useful when validating new deployments or troubleshooting connectivity.

Command 11: Display Interface Statistics

Syntax

ip -s link

Example

ip -s link

Administrators often review packet counters, errors, drops, and collisions to identify physical or logical interface issues.

Category 4: Connectivity Testing Commands

Command 12: Ping Remote Host

Purpose

Tests basic IP connectivity.

Syntax

ping <destination>

Example

ping 8.8.8.8

Best Practice

Always test both:

  • Public IP addresses
  • Internal gateways

This helps distinguish routing issues from DNS problems.

Command 13: Trace Network Path

Syntax

traceroute <destination>

Example

traceroute 8.8.8.8

Traceroute helps determine where packets stop traversing the network and is invaluable during WAN and ISP troubleshooting.

Command 14: Test DNS Resolution

Syntax

nslookup example.com

Example

nslookup example.com

If this command fails while pinging an IP address succeeds, the issue is likely related to DNS configuration rather than IP connectivity.

Command 15: Verify Default Gateway Reachability

Syntax

ping <gateway-ip>

Example

ping 192.168.1.1

This simple test is often the quickest way to determine whether the firewall can communicate with its next-hop router.

Category 5: Routing Commands

Understanding how the firewall makes forwarding decisions is one of the most important troubleshooting skills for any network engineer. Even when firewall policies are configured correctly, an incorrect routing table or policy route can prevent traffic from reaching its destination. Consequently, routing verification should always be part of your troubleshooting workflow.

Command 16: Display the Routing Table

Purpose

Displays all active routes installed in the firewall.

Syntax

ip route show

Example

ip route show

When to Use

  • Verify static routes
  • Confirm dynamic routing advertisements
  • Troubleshoot asymmetric routing
  • Validate default gateway configuration

Expected Output

The command displays:

  • Default route
  • Connected networks
  • Static routes
  • Learned routes
  • Route metrics
  • Next-hop gateways

Command 17: Display the Default Route

Purpose

Shows the default gateway currently used by the firewall.

Syntax

ip route | grep default

Example

ip route | grep default

Practical Scenario

If users report that internet access has stopped while internal communication remains functional, verifying the default route is one of the first diagnostic steps.

Command 18: View the Kernel Routing Table

Purpose

Displays routing information maintained by the Linux kernel.

Syntax

route -n

Example

route -n

Common Mistakes

Many administrators assume a configured route is automatically active. However, interface failures or routing changes may prevent it from appearing in the kernel routing table.

Command 19: Display Neighbor (ARP) Table

Purpose

Shows MAC address mappings for connected devices.

Syntax

ip neigh

Example

ip neigh

When to Use

  • Gateway unreachable
  • Duplicate IP detection
  • Layer 2 troubleshooting
  • MAC address verification

Command 20: Test Connectivity Through a Specific Interface

Purpose

Verifies connectivity using a selected interface.

Syntax

ping -I <interface> <destination>

Example

ping -I Port2 8.8.8.8

Best Practice

This command is particularly useful in SD-WAN and multi-WAN environments where multiple internet connections exist.

Category 6: DNS and DHCP Commands

DNS issues frequently appear to be firewall problems. Therefore, verifying name resolution before investigating firewall rules can save considerable troubleshooting time.

Command 21: Display DNS Configuration

Purpose

Shows configured DNS servers.

Syntax

cat /etc/resolv.conf

Example

cat /etc/resolv.conf

Typical Uses

  • Validate DNS configuration
  • Confirm DNS changes
  • Troubleshoot resolution failures

Command 22: Query DNS Records

Purpose

Queries DNS records from a DNS server.

Syntax

dig example.com

Example

dig google.com

Practical Uses

  • Verify authoritative responses
  • Check public DNS
  • Validate split DNS
  • Test DNSSEC responses

Command 23: Display DHCP Lease Information

Purpose

Shows DHCP lease details.

Syntax

cat /tmp/dhcp.leases

Example

cat /tmp/dhcp.leases

Useful For

  • Client troubleshooting
  • IP allocation verification
  • Lease expiration analysis

Command 24: Display Active Host Entries

Purpose

Lists hosts currently known by the firewall.

Syntax

arp -a

Example

arp -a

Command 25: Test External DNS Server

Purpose

Verifies internet DNS reachability.

Syntax

nslookup openai.com 8.8.8.8

Example

nslookup openai.com 8.8.8.8

Best Practice

Always compare results using:

  • Internal DNS
  • External DNS
  • ISP DNS

This quickly isolates where resolution is failing.

Category 7: NAT Commands

Network Address Translation (NAT) issues often result in successful firewall rule matches while traffic still fails to reach its destination. Verifying NAT behavior is therefore essential during connectivity troubleshooting.

Command 26: Display Current NAT Sessions

Purpose

Shows active translated sessions.

Syntax

conntrack -L

Example

conntrack -L

Common Uses

  • Verify outbound NAT
  • Validate PAT translations
  • Investigate session persistence

Command 27: Search NAT Session for an IP Address

Purpose

Filters connection tracking information.

Syntax

conntrack -L | grep 192.168.10.25

Example

conntrack -L | grep 192.168.10.25

Command 28: Monitor Connection Tracking Statistics

Purpose

Displays connection tracking statistics.

Syntax

cat /proc/sys/net/netfilter/nf_conntrack_count

Example

cat /proc/sys/net/netfilter/nf_conntrack_count

Why It Matters

Connection tracking exhaustion can cause intermittent connectivity even when firewall rules appear correct.

Command 29: Display Maximum Connection Tracking Limit

Syntax

cat /proc/sys/net/netfilter/nf_conntrack_max

Example

cat /proc/sys/net/netfilter/nf_conntrack_max

Administrators should compare the current connection count against the configured maximum to determine whether session limits are approaching capacity.

Command 30: Display Active Network Connections

Purpose

Displays established TCP and UDP connections.

Syntax

netstat -an

Example

netstat -an

Category 8: VPN Commands

Virtual Private Networks are among the most common sources of support requests. Fortunately, the CLI provides detailed visibility into tunnel establishment, negotiation, and operational status.

Command 31: Display IPSec Tunnel Status

Purpose

Displays active IPSec tunnels.

Syntax

ipsec status

Example

ipsec status

When to Use

  • Verify tunnel establishment
  • Confirm active Security Associations
  • Troubleshoot VPN outages

Command 32: Restart IPSec Service

Purpose

Restarts IPSec services.

Syntax

service ipsec restart

Example

service ipsec restart

Caution

Restarting the IPSec service disconnects all active tunnels. Schedule maintenance appropriately.

Command 33: Display IPSec Security Associations

Purpose

Shows active Security Associations (SAs).

Syntax

ip xfrm state

Example

ip xfrm state

Typical Uses

  • Verify Phase 2 negotiation
  • Confirm encryption parameters
  • Validate tunnel lifetime

Command 34: Display IPSec Policies

Purpose

Shows active IPSec policies.

Syntax

ip xfrm policy

Example

ip xfrm policy

Command 35: Verify VPN Connectivity

Purpose

Tests communication across the VPN tunnel.

Syntax

ping <remote-private-ip>

Example

ping 10.10.10.1

Best Practice

Successful tunnel establishment does not always guarantee traffic forwarding. Always verify application connectivity after confirming tunnel status.

Category 9: High Availability (HA) Commands

High Availability ensures business continuity by providing redundancy between firewall appliances. Monitoring synchronization and failover status is therefore essential in enterprise deployments.

Command 36: Display HA Status

Purpose

Displays cluster status.

Syntax

show high-availability status

Example

show high-availability status

Verify

  • Active node
  • Passive node
  • Synchronization state
  • Cluster health

Command 37: Verify HA Synchronization

Purpose

Checks synchronization between cluster members.

Syntax

show high-availability synchronization

Example

show high-availability synchronization

Command 38: Display Heartbeat Status

Purpose

Shows heartbeat communication between appliances.

Syntax

show high-availability heartbeat

Example

show high-availability heartbeat

Command 39: Display Cluster Interfaces

Purpose

Lists interfaces participating in HA.

Syntax

show high-availability interfaces

Example

show high-availability interfaces

Command 40: Display HA Configuration

Purpose

Displays HA configuration details.

Syntax

show high-availability configuration

Example

show high-availability configuration

Category 10: Firewall and Packet Diagnostics

Firewall troubleshooting extends beyond verifying policy rules. Packet visibility, session inspection, and interface statistics are equally important when diagnosing production issues.

Command 41: Start Packet Capture

Purpose

Captures packets traversing an interface.

Syntax

tcpdump -i Port1

Example

tcpdump -i Port1

Practical Uses

  • Verify packet arrival
  • Confirm packet forwarding
  • Analyze TCP handshakes
  • Detect retransmissions

Command 42: Capture Traffic for a Specific Host

Syntax

tcpdump host 192.168.1.100

Example

tcpdump host 192.168.1.100

Filtering captures significantly reduces unnecessary output during troubleshooting.

Command 43: Capture Traffic on a Specific Port

Syntax

tcpdump port 443

Example

tcpdump port 443

Common ports include:

  • 80 (HTTP)
  • 443 (HTTPS)
  • 53 (DNS)
  • 22 (SSH)
  • 25 (SMTP)
  • 3389 (RDP)

Command 44: Save Packet Capture to a File

Purpose

Stores packets for later analysis.

Syntax

tcpdump -i Port1 -w capture.pcap

Example

tcpdump -i Port1 -w vpn_issue.pcap

The resulting PCAP file can be analyzed using Wireshark for deep packet inspection.

Command 45: Display Interface Packet Counters

Purpose

Displays packet statistics.

Syntax

ip -s link show

Example

ip -s link show

Monitor

  • Received packets
  • Transmitted packets
  • Errors
  • Drops
  • Overruns
  • Carrier issues

Real-World Troubleshooting Workflow: Internet Access Failure

Instead of executing commands randomly, experienced firewall administrators follow a structured troubleshooting methodology.

StepVerificationRecommended Command
1Interface statusifconfig
2IP configurationip addr show
3Default gatewayip route show
4Gateway reachabilityping <gateway>
5DNS resolutionnslookup
6NAT sessionsconntrack -L
7Active connectionsnetstat -an
8Packet capturetcpdump

Following this sequence helps isolate the problem efficiently while minimizing unnecessary configuration changes.

Expert Tips for CLI Troubleshooting

As environments grow more complex, adopting disciplined troubleshooting habits becomes increasingly important.

Always Establish a Baseline

Before making changes, collect:

  • CPU utilization
  • Memory usage
  • Interface counters
  • Routing table
  • VPN status
  • Active sessions

This information provides valuable context if conditions worsen after a configuration change.

Verify Each Network Layer

Avoid assuming the firewall is at fault. Instead, validate:

  1. Physical connectivity
  2. Interface configuration
  3. Layer 2 adjacency
  4. Routing
  5. DNS
  6. NAT
  7. Firewall policy
  8. Application behavior

This layered approach aligns with the OSI model and significantly reduces troubleshooting time.

Capture Before Restarting Services

Restarting services may temporarily resolve symptoms but also removes valuable diagnostic evidence. Whenever possible, gather logs, session information, and packet captures before restarting VPN or networking services.

Category 11: Logging Commands

Logs are often the fastest way to determine why traffic was permitted, denied, or dropped. While the Sophos Firewall GUI provides searchable log views, the CLI allows administrators to inspect log files directly and monitor events in real time.

Command 46: View the System Log

Purpose

Displays general operating system and firewall events.

Syntax

tail /log/system.log

Example

tail /log/system.log

When to Use

  • Investigate unexpected system behavior
  • Review service startup events
  • Identify hardware-related warnings
  • Verify configuration changes

Command 47: Monitor the System Log in Real Time

Purpose

Continuously displays new log entries as they are written.

Syntax

tail -f /log/system.log

Example

tail -f /log/system.log

Best Practice

Open a second SSH session while reproducing an issue so you can observe log entries as they occur.

Command 48: Search Log Files for Specific Keywords

Purpose

Filters log output for relevant events.

Syntax

grep "ERROR" /log/system.log

Example

grep "ipsec" /log/system.log

Practical Uses

  • Locate VPN errors
  • Find service failures
  • Search authentication events
  • Investigate routing changes

Command 49: Display Recent Log Entries

Purpose

Displays the most recent records from a log file.

Syntax

tail -100 /log/system.log

Example

tail -100 /log/system.log

Command 50: View Authentication Logs

Purpose

Displays authentication-related events.

Syntax

tail /log/auth.log

Example

tail /log/auth.log

Typical Scenarios

  • Failed administrator login
  • LDAP authentication issues
  • RADIUS failures
  • VPN user authentication problems

Category 12: Authentication Commands

Identity-based firewall policies rely on successful communication with authentication services such as Active Directory, LDAP, and RADIUS. Consequently, verifying authentication status is a critical troubleshooting task.

Command 51: Test DNS Before Authentication

Purpose

Confirms that domain controllers and authentication servers are reachable.

Syntax

nslookup company.local

Example

nslookup ad.company.local

Command 52: Verify Network Connectivity to Authentication Server

Purpose

Tests communication with LDAP or RADIUS servers.

Syntax

ping <authentication-server>

Example

ping 192.168.100.10

Command 53: Test Port Connectivity

Purpose

Checks whether required authentication ports are accessible.

Syntax

nc -zv <server> <port>

Example

nc -zv 192.168.100.10 389

Common Ports

  • 389 – LDAP
  • 636 – LDAPS
  • 1812 – RADIUS
  • 1813 – RADIUS Accounting
  • 88 – Kerberos

Command 54: View Active User Sessions

Purpose

Displays currently logged-in users.

Syntax

who

Example

who

Command 55: Display Current User

Purpose

Shows the currently authenticated CLI user.

Syntax

whoami

Example

whoami

Category 13: Performance Monitoring Commands

Performance bottlenecks may originate from hardware limitations, excessive traffic, IPS processing, or abnormal session growth. Regular monitoring helps identify problems before they impact users.

Command 56: Display Disk Usage

Purpose

Shows available disk space.

Syntax

df -h

Example

df -h

Why It Matters

Insufficient disk space can affect:

  • Logging
  • Firmware upgrades
  • Backups
  • Reporting

Command 57: Display Directory Usage

Purpose

Shows storage consumption by directories.

Syntax

du -sh /log/*

Example

du -sh /log/*

Command 58: Display Network Socket Statistics

Purpose

Shows active network sockets.

Syntax

ss -tuln

Example

ss -tuln

Useful For

  • Verifying listening services
  • Troubleshooting application connectivity
  • Confirming service availability

Command 59: Display Network Statistics

Purpose

Displays interface statistics.

Syntax

netstat -i

Example

netstat -i

Command 60: Monitor Processes Continuously

Purpose

Provides a live view of system resource usage.

Syntax

top

Example

top

Best Practice

Monitor CPU utilization while reproducing high-load scenarios such as IPS processing or VPN establishment.

Category 14: Firmware and System Maintenance Commands

Routine maintenance reduces operational risk and improves firewall stability.

Command 61: Reboot the Firewall

Purpose

Restarts the appliance.

Syntax

reboot

Example

reboot

Caution

Always schedule production reboots during approved maintenance windows.

Command 62: Shut Down the Firewall

Purpose

Performs a graceful shutdown.

Syntax

shutdown -h now

Example

shutdown -h now

Command 63: Display Mounted File Systems

Purpose

Displays mounted storage devices.

Syntax

mount

Example

mount

Command 64: Display System Environment

Purpose

Shows environment variables.

Syntax

env

Example

env

Command 65: Display Kernel Information

Purpose

Displays operating system kernel details.

Syntax

uname -a

Example

uname -a

Category 15: Backup and File Management Commands

Configuration backups are a fundamental component of disaster recovery planning. Administrators should verify that backups are created regularly and securely stored.

Command 66: Display Current Directory

Purpose

Shows the current working directory.

Syntax

pwd

Example

pwd

Command 67: List Files

Purpose

Displays files and directories.

Syntax

ls -lah

Example

ls -lah

Command 68: Copy Files

Purpose

Copies files between locations.

Syntax

cp source destination

Example

cp backup.conf backup-old.conf

Command 69: Move or Rename Files

Purpose

Moves or renames files.

Syntax

mv oldfile newfile

Example

mv backup.conf backup-july.conf

Command 70: Remove Temporary Files

Purpose

Deletes unnecessary files.

Syntax

rm filename

Example

rm tempcapture.pcap

Warning

Always verify the file path before deleting files. Accidental removal of important diagnostic files may complicate troubleshooting.

Category 16: Advanced Diagnostics and Expert Mode

Expert Mode provides access to the underlying Linux operating system. Although powerful, it should primarily be used for diagnostics rather than unsupported system modifications.

Command 71: Enter Expert Mode

Purpose

Accesses the advanced Linux shell.

Syntax

system shell

Example

system shell

Command 72: Display Kernel Messages

Purpose

Shows kernel-level events.

Syntax

dmesg

Example

dmesg

Typical Uses

  • Driver issues
  • Hardware failures
  • Interface initialization
  • Disk errors

Command 73: Display Loaded Kernel Modules

Purpose

Lists loaded Linux kernel modules.

Syntax

lsmod

Example

lsmod

Command 74: Display Running Services

Purpose

Shows active system services.

Syntax

service --status-all

Example

service --status-all

Command 75: Display Open Files

Purpose

Shows files currently opened by running processes.

Syntax

lsof

Example

lsof

Practical Uses

  • Troubleshoot locked files
  • Identify log file usage
  • Investigate disk activity

Real-World Troubleshooting Workflows

Experienced firewall administrators rarely rely on a single command. Instead, they follow structured workflows that progressively eliminate potential causes.

Workflow 1: IPSec VPN Tunnel Will Not Establish

StepObjectiveRecommended Command
1Verify interface connectivityping <peer-ip>
2Confirm routingip route show
3Check DNS (if FQDN peer)nslookup
4Review IPSec statusipsec status
5Verify Security Associationsip xfrm state
6Inspect logsgrep "ipsec"
7Capture packetstcpdump

Workflow 2: Users Cannot Access the Internet

StepObjective
Verify interface status
Confirm IP addressing
Validate default gateway
Test gateway reachability
Verify DNS
Inspect NAT sessions
Review firewall logs
Capture outbound traffic

Workflow 3: High CPU Utilization

  1. Monitor CPU using top.
  2. Review running processes.
  3. Check active sessions.
  4. Verify IPS activity.
  5. Examine VPN load.
  6. Inspect logging volume.
  7. Review packet captures if necessary.

Daily Health Check Checklist

A proactive daily health check can identify developing issues before they become outages.

ItemRecommended Verification
CPU utilizationBelow expected operational threshold
Memory utilizationStable with sufficient free memory
Disk usageAdequate free space
Interface statusNo errors or drops
VPN tunnelsAll critical tunnels established
HA synchronizationFully synchronized
DNS resolutionSuccessful
Routing tableCorrect default route
System logsNo recurring critical errors
Active sessionsWithin normal operational range

Security Hardening Recommendations

Operational excellence extends beyond troubleshooting. Administrators should also implement security best practices to protect firewall management interfaces.

Restrict Administrative Access

Limit SSH access to trusted management networks and avoid exposing administrative interfaces to the public Internet.

Use Multi-Factor Authentication

Where supported, integrate administrator accounts with MFA through directory services or identity providers.

Disable Unused Services

Reduce the attack surface by disabling services that are not required for production operations.

Apply Firmware Updates Promptly

Regular firmware updates address security vulnerabilities, improve performance, and enhance platform stability.

Centralize Logging

Forward logs to a centralized SIEM or Syslog server to support long-term retention, compliance, and incident response.

GUI vs CLI Comparison

Administrative TaskGUICLI
Firewall Policy ManagementExcellentLimited
VPN ConfigurationExcellentModerate
DiagnosticsModerateExcellent
Packet CaptureBasicAdvanced
Routing AnalysisModerateExcellent
Performance MonitoringGoodExcellent
Service DebuggingLimitedExcellent
Log InvestigationGoodExcellent

Sophos CLI Quick Reference

CategoryCommands Covered
System Information1–5
Performance Monitoring6–8, 56–60
Interfaces9–15
Routing16–20
DNS & DHCP21–25
NAT26–30
VPN31–35
High Availability36–40
Packet Capture41–45
Logging46–50
Authentication51–55
System Maintenance61–65
File Management66–70
Expert Mode71–75

Frequently Asked Questions

What is the Sophos Firewall CLI?

The Sophos Firewall Command-Line Interface (CLI) is a text-based management environment that allows administrators to configure, monitor, troubleshoot, and maintain Sophos Firewall appliances. It complements the web interface by providing direct access to diagnostics, routing information, packet captures, logs, and advanced system utilities.

How do I access the Sophos Firewall CLI?

You can access the CLI using one of the following methods:

  • SSH from a trusted management workstation
  • Physical console connection
  • Hypervisor console for virtual appliances
  • Remote KVM or out-of-band management console

For production environments, SSH is generally the preferred method because it provides secure, encrypted remote administration.

What is Expert Mode in Sophos Firewall?

Expert Mode provides controlled access to the underlying Linux operating system. It is intended primarily for advanced troubleshooting, diagnostics, log analysis, and packet capture rather than routine configuration changes.

Is it safe to use Expert Mode?

Yes, when used appropriately. Administrators should limit Expert Mode activities to diagnostics and avoid unsupported modifications to system files or services, as such changes may affect stability, upgrades, or vendor support.

How do I verify whether a VPN tunnel is active?

The most common approach is to:

  1. Check IPSec tunnel status.
  2. Verify Security Associations (SAs).
  3. Confirm routing.
  4. Test connectivity across the tunnel.
  5. Review VPN-related logs.
  6. Capture packets if necessary.

Following this sequence provides a structured troubleshooting methodology rather than relying on guesswork.

Which CLI command is most useful for troubleshooting?

There is no single “best” command. Experienced administrators typically combine several commands depending on the problem. Common examples include:

  • Interface verification
  • Routing table inspection
  • Packet capture
  • System logs
  • Connection tracking
  • CPU and memory monitoring

The right command depends on whether the issue involves networking, authentication, VPNs, firewall policies, or system performance.

Can I configure the entire firewall from the CLI?

Sophos Firewall is primarily designed for GUI-based configuration. While the CLI provides extensive diagnostic capabilities and supports selected administrative tasks, most policy configuration, security settings, and deployment activities are performed through the web interface.

Why use the CLI if the GUI already exists?

The CLI provides several advantages:

  • Faster diagnostics
  • Detailed packet analysis
  • Advanced troubleshooting
  • Real-time log monitoring
  • Service-level visibility
  • Better insight into routing and session handling

Consequently, most experienced firewall engineers use both interfaces together.

How do I monitor firewall performance?

A complete health assessment typically includes:

  • CPU utilization
  • Memory consumption
  • Interface statistics
  • Session count
  • Disk usage
  • VPN status
  • High Availability synchronization
  • System logs

Reviewing these metrics regularly helps identify developing issues before they impact production services.

How often should firewall administrators perform health checks?

Many organizations perform:

EnvironmentRecommended Frequency
Small BusinessWeekly
Medium EnterpriseDaily
Large EnterpriseDaily or multiple times per day
Security Operations Center (SOC)Continuous monitoring

Can Sophos Firewall CLI help troubleshoot SD-WAN issues?

Yes. Although SD-WAN policies are primarily managed through the graphical interface, the CLI is invaluable for validating:

  • Interface availability
  • Gateway reachability
  • Routing decisions
  • Packet forwarding
  • DNS resolution
  • VPN tunnel health
  • WAN connectivity

What tools should every Sophos administrator master?

Experienced administrators should be comfortable with:

  • SSH
  • Packet capture
  • Log analysis
  • Route verification
  • DNS testing
  • Session inspection
  • VPN diagnostics
  • Resource monitoring

These capabilities significantly reduce troubleshooting time during production incidents.

Common Mistakes to Avoid

Even experienced administrators occasionally make errors that prolong troubleshooting or introduce unnecessary risk. Avoiding these common mistakes can improve operational efficiency and reduce downtime.

Restarting Services Too Early

Restarting VPN, routing, or authentication services before collecting evidence may temporarily resolve symptoms while eliminating valuable diagnostic information.

Recommendation: Capture logs, packet traces, and system statistics before restarting services.

Ignoring Routing

Many connectivity problems are caused by incorrect routing rather than firewall rules.

Recommendation: Always verify the routing table before modifying security policies.

Assuming DNS Is Working

Users often report that “the Internet is down” when the actual problem is DNS resolution.

Recommendation: Test both IP connectivity and DNS resolution separately.

Skipping Packet Capture

Packet captures provide objective evidence of packet flow and should be part of every major troubleshooting exercise.

Working Without Change Control

Production firewalls protect critical business services.

Always:

  • Document changes.
  • Obtain approvals.
  • Schedule maintenance windows.
  • Verify rollback procedures.
  • Record pre-change baselines.

Best Practices for Enterprise Firewall Administration

Organizations with mature network operations generally follow standardized operational procedures.

Standardize Troubleshooting

Develop documented troubleshooting workflows for:

  • Internet outages
  • VPN failures
  • Authentication issues
  • High CPU utilization
  • High memory usage
  • Routing failures
  • High Availability failover

Standardization improves consistency across operational teams.

Maintain Configuration Backups

Backups should be:

  • Automated
  • Version-controlled
  • Securely stored
  • Periodically tested through restoration exercises

Monitor Continuously

Rather than reacting to user complaints, monitor:

  • CPU utilization
  • Memory usage
  • Interface errors
  • VPN availability
  • Session growth
  • Disk capacity
  • Log anomalies

Proactive monitoring significantly reduces operational risk.

Keep Documentation Current

Maintain documentation covering:

  • Interface assignments
  • VLANs
  • IP addressing
  • VPN topology
  • Dynamic routing
  • NAT policies
  • High Availability architecture
  • Administrative procedures

Accurate documentation accelerates troubleshooting and simplifies onboarding.

Final Thoughts

Sophos Firewall combines a powerful graphical management interface with a highly capable command-line environment. While the GUI is ideal for day-to-day administration and policy management, the CLI remains indispensable for diagnostics, troubleshooting, performance analysis, and operational visibility.

The 75 commands presented throughout this guide represent the foundation of a practical operational toolkit used by experienced network and security professionals. More importantly, effective troubleshooting depends not only on knowing individual commands but also on understanding when and how to combine them within structured workflows.

As enterprise networks continue to adopt Zero Trust architectures, hybrid cloud connectivity, SD-WAN, encrypted traffic inspection, and increasingly complex security controls, firewall administrators must develop both technical depth and disciplined operational practices. Mastering the Sophos CLI enables faster incident resolution, more accurate diagnostics, and greater confidence when managing critical production environments.

Whether you are responsible for a single branch office firewall or a globally distributed security infrastructure, investing time in learning the Sophos CLI will improve operational efficiency and strengthen your ability to maintain secure, resilient, and highly available network services.

Key Takeaways

  • The Sophos Firewall CLI complements the graphical interface with advanced diagnostic capabilities.
  • Mastering CLI commands significantly improves troubleshooting efficiency.
  • Routing, DNS, NAT, VPN, and packet capture should be verified before modifying firewall policies.
  • Expert Mode is intended for diagnostics and should be used carefully.
  • Daily health checks help identify issues before they affect production.
  • Structured troubleshooting workflows are more effective than isolated command execution.
  • Configuration backups, centralized logging, and documentation are essential operational practices.
  • Combining CLI expertise with sound change management enhances both security and reliability.

Picture of Martin Kelly
Martin Kelly

We hired CWNx to revamp our company website and run a few ad campaigns. The new design is sleek and professional, and the campaigns brought in a noticeable uptick in qualified leads. Communication was smooth throughout the project. I'm docking one star only because the initial timeline slipped by a few days, but the final output was absolutely worth the wait.

Leave a Reply

Your email address will not be published. Required fields are marked *