{"id":161490,"date":"2024-09-03T15:02:02","date_gmt":"2024-09-03T14:02:02","guid":{"rendered":"https:\/\/www.avanet.com\/kb\/sophos-firewall-troubleshooting-basic-commands\/"},"modified":"2024-09-03T15:07:37","modified_gmt":"2024-09-03T14:07:37","slug":"sophos-firewall-troubleshooting-basic-commands","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-troubleshooting-basic-commands\/","title":{"rendered":"Sophos Firewall Troubleshooting &#8211; Tips &amp; Tricks for the CLI"},"content":{"rendered":"\n<p>As an IT administrator responsible for managing Sophos Firewall, an in-depth knowledge of the Command Line Interface (CLI) is essential.\nThe CLI provides powerful tools and commands that not only allow you to efficiently navigate through the system directories, but also perform detailed analysis and troubleshooting.\nIn this article, we&#8217;ll show you how to make the most of Sophos Firewall&#8217;s CLI to browse logs, monitor network connections, securely transfer files and start services in debug mode.\nThis guide will help you to understand the most important commands and use them in your daily work.   <\/p>\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Topics<\/h2><nav><ul><li class=\"\"><a href=\"#navigieren-in-der-sophos-shell\"><a href=\"#navigieren-in-der-sophos-shell\">Navigating in the Sophos shell<\/a><\/a><\/li><li class=\"\"><a href=\"#logs-anzeigen-und-durchsuchen\"><a href=\"#logs-anzeigen-und-durchsuchen\">Display and search logs<\/a><\/a><ul><li class=\"\"><a href=\"#tail-log-in-echtzeit-uberwachen\"><a href=\"#tail-log-in-echtzeit-uberwachen\">tail &#8211; monitor log in real time<\/a><\/a><\/li><li class=\"\"><a href=\"#grep-logs-filtern\"><a href=\"#grep-logs-filtern\">grep &#8211; Filter logs<\/a><\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#conntrack-und-tcp-dump\"><a href=\"#conntrack-und-tcp-dump\">Conntrack and TCP Dump<\/a><\/a><ul><li class=\"\"><a href=\"#conntrack\"><a href=\"#conntrack\">Conntrack<\/a><\/a><\/li><li class=\"\"><a href=\"#tcpdump\">tcpdump<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#dateien-herunterladen-und-hochladen\"><a href=\"#dateien-herunterladen-und-hochladen\">Download and upload files<\/a><\/a><\/li><li class=\"\"><a href=\"#liste-aller-firewall-services-und-dessen-logs\"><a href=\"#liste-aller-firewall-services-und-dessen-logs\">List of all firewall services and their logs<\/a><\/a><ul><li class=\"\"><a href=\"#firewall-services-auflisten\"><a href=\"#firewall-services-auflisten\">List firewall services<\/a><\/a><\/li><li class=\"\"><a href=\"#debug-log\"><a href=\"#debug-log\">Debug log<\/a><\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#letzte-worte\"><a href=\"#letzte-worte\">Last words<\/a><\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\" id=\"navigieren-in-der-sophos-shell\">Navigating in the Sophos shell<\/h2>\n\n<p><br\/>In the Sophos Shell, you can search the directory structure using simple Linux commands.\nFor example, to display the existing log files in the \/log directory, you can use the following command: <\/p>\n\n<pre class=\"wp-block-code\"><code>cd \/log\nls -la<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>cd \/log<\/strong>: Changes to the \/log directory where the Sophos Firewall log files are located.<\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li><strong>ls -la<\/strong>: Lists all files in the current directory in detail, including hidden files.\nThe -l shows detailed information such as file size and timestamp, while -a lists all files including the hidden ones. <\/li>\n<\/ul>\n\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-48c10d1\" data-block-id=\"48c10d1\"><style>.stk-48c10d1 .stk-img-figcaption{color:#abb7c2 !important;text-align:center !important}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch stk--has-lightbox\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-161479\" src=\"https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la.jpg\" width=\"1985\" height=\"1561\" alt=\"Sophos Firewall - Advanced Shell -ls -la in the log directory\" srcset=\"https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la.jpg 1985w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-300x236.jpg 300w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-1024x805.jpg 1024w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-768x604.jpg 768w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-1536x1208.jpg 1536w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-600x472.jpg 600w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-ls-la-64x50.jpg 64w\" sizes=\"auto, (max-width: 1985px) 100vw, 1985px\" \/><\/span><figcaption class=\"has-text-color stk-img-figcaption\">Sophos Firewall &#8211; Advanced Shell -ls -la im Log Verzeichnis<\/figcaption><\/figure><\/div>\n\n<p>To display the files sorted by size, you can extend the ls command as follows:<\/p>\n\n<pre class=\"wp-block-code\"><code>ls -lSrh<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>-lSrh<\/strong>: These options list the files in detailed form, sorted by size (-S) and in a readable form (-h for &#8220;human-readable&#8221;).<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"logs-anzeigen-und-durchsuchen\">Display and search logs<\/h2>\n\n<p>Searching and analyzing log files is one of the most common troubleshooting tasks.\nThe <strong>cat<\/strong>, <strong>tail<\/strong> and <strong>grep<\/strong> commands are extremely useful for this. <\/p>\n\n<h3 class=\"wp-block-heading\" id=\"tail-log-in-echtzeit-uberwachen\">tail &#8211; monitor log in real time<\/h3>\n\n<p>To track the contents of a log file in real time, you can use the <strong>tail<\/strong> command:<\/p>\n\n<pre class=\"wp-block-code\"><code>tail -f smtpd_main.log<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>tail -f<\/strong>: Displays the last lines of the smtpd_main.log file and updates it in real time when new entries are added.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\" id=\"grep-logs-filtern\">grep &#8211; Filter logs<\/h3>\n\n<p>To search for a specific term, e.g. a domain or e-mail address, in a log file, you can use <strong>grep<\/strong>:<\/p>\n\n<pre class=\"wp-block-code\"><code>cat smtpd_main.log | grep \"avanet.com\"<\/code><\/pre>\n\n<p>Or you want to monitor the IPsec log in real time and display entries for an IP address<\/p>\n\n<pre class=\"wp-block-code\"><code>tail -f strongswan.log | grep 46.33.21.12<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>grep<\/strong>: Searches the smtpd_main.log file for lines containing the term &#8220;avanet.com&#8221;.<\/li>\n<\/ul>\n\n<p>Other useful options for grep:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>-i<\/strong>: Ignores upper and lower case when searching.<\/li>\n\n\n\n<li><strong>-n<\/strong>: Displays the line numbers of the hits.<\/li>\n\n\n\n<li><strong>-m 1<\/strong>: Ends the search after the first hit.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"conntrack-und-tcp-dump\">Conntrack and TCP Dump<\/h2>\n\n<p>Sophos Firewall provides powerful tools for analyzing network connections and traffic.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"conntrack\">Conntrack<\/h3>\n\n<p>With <strong>conntrack<\/strong> you can monitor active connections:<\/p>\n\n<pre class=\"wp-block-code\"><code>conntrack -L | grep \"10.128.138.150\"<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>conntrack -L<\/strong>: Lists all active connections on the firewall.<\/li>\n\n\n\n<li><strong>grep &#8220;IP address&#8221;<\/strong>: Filters the connections associated with the specified IP address.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\" id=\"tcpdump\">tcpdump<\/h3>\n\n<p>To analyze network traffic directly, you can use <strong>tcpdump<\/strong>:<\/p>\n\n<pre class=\"wp-block-code\"><code>tcpdump -i any port 80<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>tcpdump -i any<\/strong>: Monitors all network traffic on all interfaces.<\/li>\n\n\n\n<li><strong>port 80<\/strong>: Filters the traffic that runs via port 80 (HTTP).<\/li>\n<\/ul>\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The topic tcpdump is covered in a separate article, as it is very extensive: <a href=\"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-tcpdump-tool-logs-collect\/\">Sophos Firewall &#8211; collecting logs with TCPDump for analysis<\/a><\/p>\n<\/blockquote>\n\n<h2 class=\"wp-block-heading\" id=\"dateien-herunterladen-und-hochladen\">Download and upload files<\/h2>\n\n<p>To download files from the firewall, you can use tools such as WinSCP or, on macOS, Cyberduck.\nYou must first ensure that SSH access to the firewall is permitted.\nThen, of course, you cannot connect to the tool and transfer files easily.  <\/p>\n\n<p>You can use ftpput to upload files to an FTP server:<\/p>\n\n<pre class=\"wp-block-code\"><code>ftpput -u username -p password ftp.server.com \/path\/to\/upload\/file.log<\/code><\/pre>\n\n<pre class=\"wp-block-code\"><code>ftpput -u sophostransfer@avanet.com -p UrXPMmGYXtAsaX6?LnAJx3fgrK www.avanet.com strongswan.log<\/code><\/pre>\n\n<ul class=\"wp-block-list\">\n<li><strong>ftpput<\/strong>: Transfers a file to an FTP Server.<\/li>\n\n\n\n<li><strong>-u username -p password<\/strong>: Authenticates with the specified FTP login data.<\/li>\n\n\n\n<li><strong>ftp.server.com<\/strong>: Address of the FTP Server.<\/li>\n\n\n\n<li><strong>\/path\/to\/upload\/file.log<\/strong>: Path to the local file to be uploaded.<\/li>\n<\/ul>\n\n<p>Alternatively, you can also use the <strong>curl<\/strong> command to upload files to an FTP:<\/p>\n\n<pre class=\"wp-block-code\"><code>curl --ftp-ssl ftp:\/\/www.avanet.com -u sophostransfer@avanet.com:Ur$tAs3fg46rK -v -T {\/tmp\/ips.log,\/tmp\/applog.log,\/tmp\/csc.log,\/tmp\/u2d.log}<\/code><\/pre>\n\n<h2 class=\"wp-block-heading\" id=\"liste-aller-firewall-services-und-dessen-logs\">List of all firewall services and their logs<\/h2>\n\n<p>Sophos has an excellent list of all services and the corresponding logs: Sophos KB: <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/19.0\/Help\/en-us\/webhelp\/onlinehelp\/AdministratorHelp\/Logs\/LogFileDetails\/index.html\" target=\"_blank\" rel=\"noreferrer noopener\">Log file details<\/a>.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"firewall-services-auflisten\">List firewall services<\/h3>\n\n<p>This Advanced Shell command lists all active services and their status:<\/p>\n\n<pre class=\"wp-block-code\"><code>service -S<\/code><\/pre>\n\n<p>Or you only need the status of a single service.\nThe status of a service can also be checked with <strong>service<\/strong> -S in combination with grep: <\/p>\n\n<pre class=\"wp-block-code\"><code>service -S | grep strongswan<\/code><\/pre>\n\n<p>However, this command does the same on the Firewall Console:<\/p>\n\n<pre class=\"wp-block-code\"><code>system diagnostics show subsystem-info <\/code><\/pre>\n\n<h3 class=\"wp-block-heading\" id=\"debug-log\">Debug log<\/h3>\n\n<p>Debug mode is essential when normal logs do not provide enough information to understand a problem.\nCompared to normal log mode, which only records basic events and error messages, debug mode provides deeper, more detailed logging.\nIt captures more comprehensive data and internal processes that are not visible during normal operation.\nThis makes it possible to precisely identify complex or rare errors, which is particularly helpful when diagnosing problems that could be overlooked in normal log mode.   <\/p>\n\n<p><br\/>To start a specific service in debug mode, you can use the following command:<\/p>\n\n<pre class=\"wp-block-code\"><code>service ips:debug -ds nosync<\/code><\/pre>\n\n<p>To end the debug mode again so that the log cannot fill the hard disk, you should deactivate it again after some time:<\/p>\n\n<pre class=\"wp-block-code\"><code>service ips:debug -ds nosync<\/code><\/pre>\n\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-6d14ac8\" data-block-id=\"6d14ac8\"><style>.stk-6d14ac8 .stk-img-figcaption{color:#abb7c2 !important;text-align:center !important}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch stk--has-lightbox\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-161484\" src=\"https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode.jpg\" width=\"1945\" height=\"1017\" alt=\"Sophos Firewall - Advanced Shell - Debug mode\" srcset=\"https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode.jpg 1945w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-300x157.jpg 300w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-1024x535.jpg 1024w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-768x402.jpg 768w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-1536x803.jpg 1536w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-600x314.jpg 600w, https:\/\/www.avanet.com\/assets\/sophos-firewall-advanced-shell-debug-mode-64x33.jpg 64w\" sizes=\"auto, (max-width: 1945px) 100vw, 1945px\" \/><\/span><figcaption class=\"has-text-color stk-img-figcaption\">Sophos Firewall &#8211; Advanced Shell &#8211; Debug Mode<\/figcaption><\/figure><\/div>\n\n<p>We have described the topic of services and restarting in more detail in this article: <a href=\"https:\/\/www.avanet.com\/en\/kb\/how-to-restart-services-on-sophos-firewall\/\">Restarting Sophos Firewall services<\/a><\/p>\n\n<h2 class=\"wp-block-heading\" id=\"letzte-worte\">Last words<\/h2>\n\n<p>Navigating and working on the Sophos shell may seem complex at first, but with the right commands you can identify and fix problems quickly and efficiently.\nThis guide is designed to help you understand and use the most important commands effectively.\nA solid knowledge of the CLI can significantly improve your ability to solve problems, alternatively our support is of course also available.  <\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-161490","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/161490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/5"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=161490"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=161490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}