Skip to content
Avanet

Connect to Sophos Firewall via SSH

Sophos Firewall

Many support and troubleshooting tasks require SSH access to Sophos Firewall. Examples include log analysis, service restarts, special diagnostic commands and work in the Advanced Shell.

This guide explains how to prepare SSH access, connect to the firewall and open the required console.

Requirements

For an SSH connection to Sophos Firewall, you need:

  • Administrative access to Sophos Firewall
  • The IP address or DNS name of the firewall
  • Access to the admin user
  • On macOS or Linux: the built-in Terminal app with SSH
  • On Windows: Windows Terminal with OpenSSH or PuTTY
  • SSH access allowed under Administration > Device access

⚠️ SSH should only be allowed from trusted networks. In production environments, it is better to restrict access to a management IP or admin network instead of allowing SSH broadly.

Allow SSH access on the firewall

For a connection to work, Sophos Firewall must allow SSH on the relevant zone or through a Local Service ACL Exception Rule.

  1. Log in to the Sophos Firewall Web Admin.
  2. Open Administration.
  3. Select Device access.
  4. Check whether SSH is allowed for the required zone.

For internal administration networks, SSH can be enabled directly for the relevant zone, for example LAN. If access should be restricted more precisely, use a Local service ACL exception rule.

For an ACL exception, keep the values as narrow as possible:

  • Source zone: the zone used for administration
  • Source Network / Host: the admin IP or management network
  • Services: SSH
  • Action: Accept
Sophos Firewall Local Service ACL Exception Rule for SSH access
Example of a Local Service ACL Exception Rule that allows SSH access only from a defined source object.

SSH should not be reachable from the internet without tight restrictions. If external access is required, allow it only from a defined source IP, through VPN or through a dedicated support access setup.

Add a public key for admin

For SSH access, public key authentication is the preferred method. On Sophos Firewall, the public key can be added for the admin user under Administration > Device access.

⚠️ SSH login to Sophos Firewall is only possible with the admin user. Other WebAdmin users cannot log in via SSH.

The public key is added in Public key authentication for admin:

  1. Open Administration.
  2. Select Device access.
  3. Scroll to Public key authentication for admin.
  4. Enable Enable authentication.
  5. Add the public key under Authorized keys.
  6. Save with Apply.
Sophos Firewall Public Key Authentication for the admin user
Preferred method: enable Public Key Authentication for SSH access with the admin user.

The private key always remains on the admin client and must not be shared. Only the public key is stored on the firewall.

Connect from macOS or Linux

On macOS and Linux, an SSH client is usually already installed. The connection is made from Terminal.

Example:

ssh admin@192.0.2.1

Replace 192.0.2.1 with the IP address or DNS name of the Sophos Firewall.

On the first connection, the SSH client asks whether the host fingerprint should be accepted. Check the fingerprint and then confirm it.

Depending on the configuration, the password for the admin user is requested or the login is performed with the configured SSH key.

Connect with PuTTY

On Windows, you can use Windows Terminal with OpenSSH or PuTTY.

For PuTTY:

  1. Open PuTTY.
  2. Enter the IP address or DNS name of the Sophos Firewall under Host Name.
  3. Set Port to 22.
  4. Set Connection type to SSH.
  5. Connect with Open.
  6. Check and accept the SSH fingerprint.
  7. Log in as admin and use the password or SSH key, depending on the configuration.

After login, the Sophos Firewall console menu appears.

Open Device Console or Advanced Shell

After a successful SSH login, the firewall shows a console menu. The option depends on the task.

For many SFOS commands, use:

4. Device Console

For deeper Linux or filesystem tasks, open the Advanced Shell:

5. Device Management > Advanced Shell

The Advanced Shell provides very broad access to the system. Only run commands there when their effect is clear.

End the connection

When the work is complete, end the SSH session cleanly:

exit

If you are in a submenu, you may need to return to the main menu first and then close the session.

Common issues

Connection refused

If the connection is refused, SSH is usually not allowed on the firewall for the selected zone or source. Check Administration > Device access.

Connection times out

A timeout often means the firewall cannot be reached through the selected IP address, a route is missing or an upstream firewall is blocking access.

Login fails

If login fails, check the admin user, the password or SSH key and the allowed source networks.