{"id":161472,"date":"2023-04-25T07:50:18","date_gmt":"2023-04-25T06:50:18","guid":{"rendered":"https:\/\/www.avanet.com\/kb\/sophos-firewall-run-scripts\/"},"modified":"2024-09-03T12:38:41","modified_gmt":"2024-09-03T11:38:41","slug":"sophos-firewall-run-scripts","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-run-scripts\/","title":{"rendered":"Sophos Firewall &#8211; Run script without cronjob"},"content":{"rendered":"\n<p>This post is about how to run a script on a Sophos Firewall without using a cronjob, as the Sophos Firewall does not allow you to create a cronjob.<\/p>\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Topics<\/h2><nav><ul><li class=\"\"><a href=\"#warum-ein-skript-auf-der-sophos-firewall-ausfuhren\"><a href=\"#warum-ein-skript-auf-der-sophos-firewall-ausfuhren\">Why run a script on the Sophos Firewall?<\/a><\/a><\/li><li class=\"\"><a href=\"#schreibrechte-fur-das-dateisystem-aktivieren\"><a href=\"#schreibrechte-fur-das-dateisystem-aktivieren\">Activate write permissions for the file system<\/a><\/a><\/li><li class=\"\"><a href=\"#skript-erstellen-oder-bearbeiten\"><a href=\"#skript-erstellen-oder-bearbeiten\">Create or edit script<\/a><\/a><\/li><li class=\"\"><a href=\"#anderungen-speichern-und-dateisystem-wieder-schreibschutzen\"><a href=\"#anderungen-speichern-und-dateisystem-wieder-schreibschutzen\">Save changes and write-protect file system again<\/a><\/a><\/li><li class=\"\"><a href=\"#beispiel-fur-ein-heartbeat-skript\"><a href=\"#beispiel-fur-ein-heartbeat-skript\">Example of a heartbeat script<\/a><\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\" id=\"warum-ein-skript-auf-der-sophos-firewall-ausfuhren\">Why run a script on the Sophos Firewall?<\/h2>\n\n<p>In certain situations, it may be necessary to run a custom script on the Sophos Firewall.\nThis can be used, for example, to customize network settings, to regularly send heartbeat signals to monitoring services or to change firewall rules.\nOften this functionality should be retained even after a restart of the firewall, which means that the default configuration of the Sophos Firewall must be adjusted.  <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"schreibrechte-fur-das-dateisystem-aktivieren\">Activate write permissions for the file system<\/h2>\n\n<p><br\/>By default, the Sophos Firewall file system is read-only.\nTo make changes to scripts, it must first be mounted with write permissions: <\/p>\n\n<pre class=\"wp-block-code\"><code>mount -no remount,rw \/<\/code><\/pre>\n\n<h2 class=\"wp-block-heading\" id=\"skript-erstellen-oder-bearbeiten\">Create or edit script<\/h2>\n\n<p><br\/>Next, you can create a script or edit an existing script.\nIn this example, a user-defined script is created that sets certain network rules: <\/p>\n\n<pre class=\"wp-block-code\"><code>vi \/scripts\/system\/clientpref\/customization_application_startup.sh<\/code><\/pre>\n\n<p><br\/>Add the following content:<\/p>\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/sh<br>iptables -t mangle -D POSTROUTING -d 172.19.0.0\/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900<br>exit 0;<\/code><\/pre>\n\n<p><br\/>This command removes an existing rule and sets a new rule to set the maximum segment size (MSS) for TCP connections to 900 bytes.<\/p>\n\n<pre class=\"wp-block-code\"><code>#!\/usr\/bin\/expect -f\nspawn ssh &lt;Sophos Firewall IP&gt; -l admin\nexpect \"password:\"\nsend \"&lt;Admin Password&gt;\\r\"\nexpect \"Select Menu Number \\\\\\&#91;0-7\\\\\\]:\"\nsend \"7\\r\"\nexpect \"Shutdown(S\/s) or Reboot(R\/r) Device  (S\/s\/R\/r):  No (Enter) &gt;\"\nsend \"r\\r\"\nexpect eof\nexit<\/code><\/pre>\n\n<p>This command ensures that the Sophos Firewall restarts every night.<\/p>\n\n<h2 class=\"wp-block-heading\" id=\"anderungen-speichern-und-dateisystem-wieder-schreibschutzen\">Save changes and write-protect file system again<\/h2>\n\n<p><br\/>After the script has been edited, the changes should be saved and the write protection of the file system reactivated:<\/p>\n\n<pre class=\"wp-block-code\"><code>mount -no remount,ro \/<\/code><\/pre>\n\n<p>To ensure that the script is also executed after a restart of the firewall, it must be integrated into the start procedure of the firewall.\nThe previously edited script (customization_application_startup.sh) is executed each time the firewall is started and ensures that the desired settings are applied. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"beispiel-fur-ein-heartbeat-skript\">Example of a heartbeat script<\/h2>\n\n<p>If it is necessary to send a heartbeat to a monitoring service such as Uptimerobot, you can use the following example:<\/p>\n\n<p>1. create a new script:<\/p>\n\n<pre class=\"wp-block-code\"><code>touch \/var\/script.sh<\/code><\/pre>\n\n<p><br\/>2. edit the script:<\/p>\n\n<pre class=\"wp-block-code\"><code>vi \/var\/script.sh<\/code><\/pre>\n\n<p>3. add your content, here is an example:<\/p>\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/sh\nwhile &#91; 1 ];\ndo\ncurl --insecure https:\/\/heartbeat.uptimerobot.com\/xxxxxxx-20cf67c87a3c0a318820d201f19483e06c99c9f7 &gt;\/dev\/null 2&gt;&amp;1\nsleep 60 ;\ndone<\/code><\/pre>\n\n<p>4. make the script executable:<\/p>\n\n<pre class=\"wp-block-code\"><code>chmod 755 \/var\/script.sh<\/code><\/pre>\n\n<p>5. execute the script:<\/p>\n\n<pre class=\"wp-block-code\"><code>\/var\/script.sh &gt;&gt; \/dev\/null 2&gt;&amp;1 &amp;<\/code><\/pre>\n\n<p><br\/>6. to run the script automatically even after a restart, add the following line to the file customization_application_startup.sh:<\/p>\n\n<pre class=\"wp-block-code\"><code>\/var\/script.sh &gt;&gt; \/dev\/null 2&gt;&amp;1 &amp;<\/code><\/pre>\n\n<p><strong>Important notes<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>High Availability (HA) Cluster<\/strong>: When using an HA cluster, the script must be applied to both nodes.<\/li>\n\n\n\n<li><strong>Persistence via restarts<\/strong>: If the script is to be executed each time the firewall is restarted, the steps described for integration into the start procedure must be carried out.<\/li>\n\n\n\n<li><strong>Risks<\/strong>: Care should be taken when making changes to the firewall start scripts, as incorrect settings can impair the functionality of the firewall.<\/li>\n<\/ul>\n","protected":false},"author":1,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-161472","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/161472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/1"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=161472"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=161472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}