Shopping Cart

No products in the cart.

Sophos Firewall – Run script without cronjob

This post is about how to run a script on a Sophos Firewall without using a cronjob, as the Sophos Firewall does not allow you to create a cronjob.

Why run a script on the Sophos Firewall?

In certain situations, it may be necessary to run a custom script on the Sophos Firewall. This can be used, for example, to customize network settings, to regularly send heartbeat signals to monitoring services or to change firewall rules. Often this functionality should be retained even after a restart of the firewall, which means that the default configuration of the Sophos Firewall must be adjusted.

Activate write permissions for the file system


By default, the Sophos Firewall file system is read-only. To make changes to scripts, it must first be mounted with write permissions:

mount -no remount,rw /

Create or edit script


Next, you can create a script or edit an existing script. In this example, a user-defined script is created that sets certain network rules:

vi /scripts/system/clientpref/customization_application_startup.sh


Add the following content:

#!/bin/sh
iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
exit 0;


This command removes an existing rule and sets a new rule to set the maximum segment size (MSS) for TCP connections to 900 bytes.

#!/usr/bin/expect -f
spawn ssh <Sophos Firewall IP> -l admin
expect "password:"
send "<Admin Password>\r"
expect "Select Menu Number \\\[0-7\\\]:"
send "7\r"
expect "Shutdown(S/s) or Reboot(R/r) Device  (S/s/R/r):  No (Enter) >"
send "r\r"
expect eof
exit

This command ensures that the Sophos Firewall restarts every night.

Save changes and write-protect file system again


After the script has been edited, the changes should be saved and the write protection of the file system reactivated:

mount -no remount,ro /

To ensure that the script is also executed after a restart of the firewall, it must be integrated into the start procedure of the firewall. The previously edited script (customization_application_startup.sh) is executed each time the firewall is started and ensures that the desired settings are applied.

Example of a heartbeat script

If it is necessary to send a heartbeat to a monitoring service such as Uptimerobot, you can use the following example:

1. create a new script:

touch /var/script.sh


2. edit the script:

vi /var/script.sh

3. add your content, here is an example:

#!/bin/sh
while [ 1 ];
do
curl --insecure https://heartbeat.uptimerobot.com/xxxxxxx-20cf67c87a3c0a318820d201f19483e06c99c9f7 >/dev/null 2>&1
sleep 60 ;
done

4. make the script executable:

chmod 755 /var/script.sh

5. execute the script:

/var/script.sh >> /dev/null 2>&1 &


6. to run the script automatically even after a restart, add the following line to the file customization_application_startup.sh:

/var/script.sh >> /dev/null 2>&1 &

Important notes

  • High Availability (HA) Cluster: When using an HA cluster, the script must be applied to both nodes.
  • Persistence via restarts: If the script is to be executed each time the firewall is restarted, the steps described for integration into the start procedure must be carried out.
  • Risks: Care should be taken when making changes to the firewall start scripts, as incorrect settings can impair the functionality of the firewall.