Sophos Firewall troubleshooting: services and logs
Sophos Firewall has two important troubleshooting layers: event logs in Log viewer and service or log files on the firewall. Log Viewer is ideal for quick questions such as whether a connection was allowed or blocked. The files under /log become more important when a service does not start, a VPN tunnel is unstable, web filtering behaves unexpectedly or support needs detailed data.
This article maps the most important services and log files to typical admin problems. It also helps when a technical service name appears in the dashboard, Advanced Shell or a support case and it is not immediately clear which firewall function is behind it. Names such as zebra, warren, awed, garner or strongswan are not self-explanatory in daily work.
Log Viewer or log file?
Log viewer is opened in the WebAdmin console at the top right. It updates automatically, can be filtered by module, time, field values and free text, and can export logs as CSV.
Troubleshooting logs are stored on the firewall in /log. Access is available through the WebAdmin console or by SSH. For short checks, Device Management > Advanced Shell in the browser works. In practice, SSH is usually more comfortable, stable and better for longer tail, grep or less sessions. Secure SSH preparation is described in Connect to Sophos Firewall by SSH.
- Connect by SSH or open Device Management > Advanced Shell in WebAdmin.
- Change to the log directory.
cd /log
Useful commands:
tail -f firewall_rule.log
tail -f nat_rule.log
grep -i error ips.log
less strongswan.log
service -S | grep ips
The most important Advanced Shell commands:
| Command | Example | Purpose |
|---|---|---|
tail -f /log/<logfilename>.log | tail -f /log/ips.log | shows new log lines live |
less /log/<logfilename>.log | less /log/ips.log | opens a static log file for reading |
grep <keyword> /log/<logfilename>.log | grep error /log/ips.log | searches for a keyword in a log file |
service <service>:<start/restart/stop/debug> -ds nosync | service ips:debug -ds nosync | starts, stops, restarts or enables debug for a service |
If logs need to be saved for support or external analysis, use Save Sophos Firewall logs for external analysis.
Advanced Shell or Device Console?
Sophos Firewall has two different console areas that are often confused:
| Area | Use |
|---|---|
| Device Console | Sophos CLI for firewall-specific commands, for example routing priority, IPsec routes or system options |
| Advanced Shell | Linux-like shell for filesystem, log files, tail, grep, less, service -S, service restarts and debug commands |
Not every command works in both areas. If an article explicitly mentions Device Console, run the command there. If it is about /log, tail -f, grep, service -S or debug logging, Advanced Shell is usually meant.
This distinction is important because many errors happen only because a correct command is entered in the wrong place.
Logging must be enabled
Not every expected piece of information appears automatically.
- Log firewall traffic must be enabled in firewall rules.
- Logging must be enabled in SSL/TLS inspection rules.
- Under System services > Log settings, define which log types are stored locally, sent to Sophos Central or sent to syslog.
For long-term retention, a syslog server or Sophos Central Firewall Reporting is useful. Sophos Firewall can configure up to five external syslog servers. Central Firewall Reporting counts toward this limit as well.
More details: Enable Central Firewall Reporting.
Enable debug only when needed
Debug logging is very useful, but it creates a lot of data and can consume disk space. Debug should only be enabled for the relevant service. Then reproduce the issue and disable debug again.
Example:
service ips:debug -ds nosync
service ips:debug -ds nosync off
The exact syntax depends on the service. If the affected service is unclear, check the normal log file first.
Debug logging and basic CLI commands are explained in more detail in Sophos Firewall troubleshooting - CLI tips and tricks. For restarting individual services, see Restart Sophos Firewall services.
Firewall, NAT and Packet Capture
| Function | Service / context | First log file | Also check |
|---|---|---|---|
| Firewall rule matching | Firewall Rule Engine | firewall_rule.log | Log Viewer module Firewall |
| General firewall processing | Firewall log / kernel path | fwlog.log | Packet Capture |
| NAT rules | NAT Rule Engine | nat_rule.log | NAT Rule ID in Log Viewer |
| Packet Capture in WebAdmin | pktcapd | pktcapd.log | Diagnostics > Packet capture |
| Bandwidth Management / QoS | bwm | bwm.log | Traffic Shaping Policy |
| Virtual Host / older server publishing | vhost | vhost.log | NAT and WAF |
For DNAT issues, always check firewall rule and NAT rule together. NAT only translates; it does not allow traffic. More details: Understand NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT.
Sophos Firewall uses IP tables, ARP table, IPset and conntrack for firewall connections. IMQ is used for QoS and Bandwidth Management. This helps when log messages or support output contain technical terms from the Linux network path.
IPS, Application Control and TLS Inspection
| Function | Service / context | Log file |
|---|---|---|
| Intrusion Prevention | ips | ips.log |
| Application Control | ips / Application Filter | ips.log |
| DPI and TLS Inspection | DPI Engine | ips.log |
| Antivirus in the network path | avd | avd.log |
| Signature updates | Signature Updater | sig_upgrade.log, sig_update.log |
| Signature migration | Signature Migration | sigmigration.log |
Many modern protection features only see enough detail when HTTPS is decrypted. If TLS Inspection does not apply, Web Filter, Application Control, IPS and Malware Scan are less meaningful depending on the traffic.
More details: Roll out TLS Inspection on Sophos Firewall step by step.
Web, proxy, WAF and web filter
| Function | Service / context | Log file |
|---|---|---|
| HTTPS Proxy | awarrenhttp | awarrenhttp.log |
| HTTPS Proxy Access | awarrenhttp access log | awarrenhttp_access.log |
| Web Proxy | Web Proxy | webproxy.log |
| Web Categorization / Reputation | nSXLd | nSXLd.log |
| Legacy HTTP/FTP Proxy | skein | skein.log |
| FTP Proxy | ftpproxy | ftpproxy.log |
| Web Application Firewall | Reverse Proxy | reverseproxy.log |
If web traffic appears as blocked in Log Viewer, the cause may be in several modules: Web Policy, SSL/TLS inspection, Application Control, IPS or WAF. Always select the specific module in Log Viewer and also check the matching log file.
Sophos always blocks web pages in the highly objectionable criminal activity category and hides the domain name in logs and reports. If an entry in this area looks intentionally anonymised, this may be expected behaviour.
VPN
| Function | Service / context | Log file |
|---|---|---|
| IPsec from SFOS v17+ | strongswan, charon | strongswan.log, charon.log |
| IPsec older versions | IPsec service | ipsec.log |
| IPsec Test Connection | IPsec test | ipsec_Test_Connect.log |
| IPsec monitoring | IPsec Monitor | ipsec_monitor.log |
| XFRM / route-based VPN | xfrmi | xfrmi.log |
| SSL VPN | SSL VPN / OpenVPN | sslvpn.log |
| SSL VPN status | OpenVPN status | openvpn-status*.log |
| L2TP | l2tpd | l2tpd.log |
| PPTP | PPTP VPN | pptpvpn.log |
| VPN certificates | VPN Certificate Services | vpncertificate.log, wc_remote.log |
| Clientless SSL VPN | Clientless Access | clientless_access.log |
Sophos Firewall uses strongSwan for IPsec VPN and OpenVPN for SSL VPN. For IPsec issues, time, peer IP, proposal, local/remote subnets, NAT-T, routing and firewall rules are crucial.
For IPsec issues, Sophos Firewall IPsec troubleshooting is the better step-by-step guide. For route-based VPN and manual IPsec routes, see Create an IPsec route on Sophos Firewall.
Authentication, User Portal and SSO
| Function | Service / context | Log file |
|---|---|---|
| User authentication | Access Server / AAA | access_server.log |
| NTLM / NASM | nasm | nasm.log |
| Chromebook SSO | Chromebook SSO Backend | chromebook-sso-backend.log |
| OAuth SSO Captive Portal | OAuth SSO Captive Portal | oauth_sso_captive.log |
| OAuth SSO WebAdmin | OAuth SSO WebAdmin | oauth_sso_webadmin.log |
| OAuth SSO VPN | OAuth SSO VPN | oauth_sso_vpn.log |
| STAS | STAS / Access Server context | depending on service context and access_server.log |
For user-based rules, first check whether the user is known at all. If Match known users is enabled and authentication does not work, the rule does not match.
DNS, DHCP and network
| Function | Service / context | Log file |
|---|---|---|
| DNS Service | dnsd | dnsd.log |
| DNS Grabber | dnsgrabber | dnsgrabber.log |
| DNS Entity / other DNS components | entity, eacd | entity.log, eacd.log |
| DHCP IPv4 | dhcpd | dhcpd.log |
| DHCP IPv6 | DHCPv6 | dhcp6.log |
| Network service | networkd | networkd.log |
| FQDN hosts | fqdnd | fqdnd.log, fqdndebug.log |
| Dead Gateway Detection | dgd | dgd.log |
| Dynamic DNS | Dynamic DNS Client | ddc.log |
| NTP Client | NTP Client | ntpclient.log |
| IPv6 Router Advertisement | radvd | radvd.log |
DNS and DHCP issues often look like firewall issues. Therefore, first check IP address, gateway, DNS server and whether clients should use the firewall as DNS or DHCP server.
If internal domains are not resolved correctly, Configure DNS request routes on Sophos Firewall is usually relevant. For special DHCP options, see Configure Sophos Firewall DHCP Options.
Cellular WAN
| Function | What to check | Log file |
|---|---|---|
| WWAN / USB modem | insertion and removal of USB devices | mdev.log |
| Modem network configuration | modem-related interfaces and IP configuration | networkd.log |
| USB, modem and PPP | syslog messages for USB, modem and Point-to-Point Protocol | syslog.log |
For Cellular WAN issues, also check whether the modem is detected, whether PIN/SIM/APN are correct and whether the firewall creates a suitable gateway.
Routing
| Function | Service / context | Log file |
|---|---|---|
| Static Routing | zebra | zebra.log |
| Application Based Routing | appcached | appcached.log |
| Redis App Cache | Redis | redis |
| Multicast Routing | Multicast Routing | mrouting.log |
| BGP | bgpd | bgpd.log |
| OSPF | ospfd | ospfd.log |
| RIP | ripd | ripd.log |
| PIM-SM | pimd | pimd.log |
For routing issues, also check Routing > SD-WAN routes, gateways and Packet Capture. Policy tester does not replace a real routing test.
More details: Adjust routing priority on Sophos Firewall.
GUI, CLI and system access
| Function | Service / context | Log file |
|---|---|---|
| WebAdmin web server | apache | apache.log, apache_access.log |
| WebAdmin application | tomcat | tomcat.log |
| SSH | sshd | sshd.log |
| GUI/CLI errors | System / GUI Error Log | error_log.log |
| API | API Parser / App Feedback | apiparser.log, app-feedback.log |
| Validation | Config Validation | validation.log, validationError.log |
If WebAdmin or SSH is not reachable, do not only check these logs. Local access is controlled through Administration > Device access and Local Service ACL.
More details: Connect to Sophos Firewall by SSH.
Sophos Central, Heartbeat and Central Management
| Function | Service / context | Log file |
|---|---|---|
| Sophos Central Management | Central Management | centralmanagement.log, sophos-central.log |
| CSC | csc, cschelper, csd | csc.log, cschelper.log, csd.log |
| Security Heartbeat | heartbeatd, hbtrust | heartbeatd.log, hbtrust.log |
| Heartbeat to Central | fwcm-eventd, fwcm-heartbeatd, fwcm-updaterd | corresponding service logs |
| Central API Executor | fwcm-api-executor | fwcm-api-executor.log |
| Active Threat Response | ATR context | depending on version and module |
For Central issues, first check whether the firewall is registered, Central Services are enabled and outbound DNS/HTTPS works.
High Availability
| Function | Service / context | Log file |
|---|---|---|
| HA status and configuration | HA Application Log | applog.log |
| HA Pair Service | ha_pair | ha_pair.log |
| HA Tunnel | ha_tunnel | ha_tunnel.log |
| Conntrack Sync | ctsyncd | ctsyncd.log |
| Msync | msync | msync.log |
HA logs are stored on the appliance on which they are generated. For raw logs of the auxiliary appliance, connect directly to that appliance, for example through its admin port by SSH. For consolidated reports, Sophos Central Firewall Reporting is more practical.
Mail and anti-spam
| Function | Service / context | Log file |
|---|---|---|
| Antivirus | AV Service | av.log |
| Antivirus updates | Up2Date AV | up2date_av.log |
| Anti-spam | sasi | sasi.log |
| Sandbox | sandboxd | sandboxd.log, sessiontbl.log |
| SMTP MTA | smtpd | smtpd_main.log |
| SMTP errors | smtpd Error/Panic/Reject | smtpd_error.log, smtpd_panic.log, smtpd_reject.log |
| Legacy SMTP/S Proxy | awarrensmtp, awarrenmta | awarrensmtp.log, awarrenmta.log, awarrenmta_debug.log |
| POP/IMAP Proxy | warren | warren.log |
For mail issues, always check whether MTA mode, firewall rule, DNS, certificates and provider restrictions fit together.
Sophos Firewall uses Avira and Sophos Antivirus. The anti-spam service only starts when an inbound or outbound spam policy exists. This dependency is important if sasi.log remains empty or the anti-spam service is not running.
Wireless, RED, Hotspot and other services
| Function | Service / context | Log file |
|---|---|---|
| Wireless Controller | awed | awed.log |
| Wi-Fi Authentication | wifiauth | wifiauth.log |
| Hotspot | hostapd, hotspot, hotspotd | hostapd.log, hotspot.log, hotspotd.log |
| RED | RED Service | red.log |
| SNMP | snmpd | snmpd.log |
| Syslog Service | Syslog | syslog.log |
| Licensing | Licensing Service | licensing.log |
| System Updates | u2d | u2d.log |
| VMware Tools | vmtool | vmtool.log |
| SMB filesystem | smbnetfs, snireport | smbnetfs.log, snireport.log |
Database and reporting
| Function | Service / context | Log file |
|---|---|---|
| Configuration database | Config DB | confdbstatus.log, crreportdb.log |
| Postgres | postgres | postgres.log |
| Signature database | sigdb | sigdb.log |
| Report database | Report DB | reportdb.log |
| Migration database | Report Migration | sac-feedback.log, reportmigration.log |
| Garner | garner | garner.log |
| iView | iview | iview.log |
If reports are missing, slow or storage issues occur, reporting and database logs are relevant. Also check whether reports are stored locally or sent to Sophos Central.
Practical analysis order
- Note the issue precisely: time, client, destination, port, user, action.
- Filter in Log Viewer by source IP and time.
- Check whether Firewall Rule ID and NAT Rule ID are visible.
- Watch the matching log file with
tail -f. - Reproduce the issue.
- Enable debug briefly if needed.
- Use Packet Capture if the packet flow is unclear.
- Save logs while the issue has just been reproduced.
For support cases, document all error messages, reproduction steps and troubleshooting steps already performed. This information significantly speeds up support cases.
More information
The tables in this article are based on practical experience and Sophos’ official overview of module log files. The official sources are linked here: