To totally unlock this section you need to Log-in
The following are useful command line procedures for the Sophos UTM platform.
Application Control Log (V9.3)
The application control log only lists the application ID. For example, this log excerpt shows app=”127″:
# tail -f /var/log/afc.log
2015:06:02-11:07:20 utm205 ulogd: id=”2017″ ... sub=”packetfilter” name=”AFC Alert” action=”log” fwrule=”2″ outitf=”eth1″ mark=”0x307f” app=”127″...
What application is this rule about?
Application Flow Control uses a lookup file to translate the app number to a text name. On version 9.312, this lookup file can be found at:
However, Sophos includes a handy tool to make watching your logs in realtime easier. Let's use:
tail -f /var/log/afc.log | afc-mark-filter.pl
And now the log has the text label added to the end of the log line:
Packet Filter Commands
To view automatic firewall rules from command line:
# iptables -L AUTO_FORWARD
# iptables -L -nv
Clear Buffer Memory ( Useful for any Linux)
free -k; sync; echo 3 > /proc/sys/vm/drop_caches; free -k
Memory Leak Observation
slabtop -d 60 -s c
Run Astaro HTTP proxy database locally
- Connect through ssh to ASG and login with loginuser
- su – root
- cc set http sc_local_db [disk][mem][none] (Choose what you prefer, the best is to redirect to RAM using mem, but only for RAM > 1GB)
- Restart the http proxy by using: /var/mdw/scripts/httpproxy restart
Websurfing will be extremely slow until the database has downloaded and been put into place. The time is link speed dependent.
In case it is not obvious, all the start scripts are in /var/mdw/scripts/
View the link speed for the ASG’s interfaces?
Bandwidth usage – IFTOP
Sophos UTM also offers the command iftop to see the live traffic and traffic statistics. One can see the traffic live on an interface for Source Host, Destination Host, and Ports. The peak and accumulative traffic is also displayed.
root # iftop -i eth1
-n – toggle DNS host resolution
-P – pause display
-s – toggle show source host
—h – toggle this help display
-d – toggle show destination host
—b – toggle bar graph display
-t – cycle line display mode
–B – cycle bar graph average
-T – toggle cummulative line totals
-j/k – scroll display
-N – toggle service resolution
—f – edit filter code
-S – toggle show source port
-l – set screen filter
-D – toggle show destination port
-L – lin/log scales -p – toggle port display
-! – shell command
-q – quit
1/2/3 – sort by 1st/2nd/3rd column
< – sort by source name
> – sort by dest name
o – freeze current order
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_establ ished=86400
Number of established connections
less /proc/net/ip_conntrack | grep ESTA | wc -l
Number of all connections
less /proc/net/ip_conntrack | wc -l
Number of connections with status WAIT (close_wait)
less /proc/net/ip_conntrack | grep WAIT | wc –l
Saving Snapshots of TOP automatically every half hour
Create a cron job that contains the following command:
top -b -n 1 >> /tmp/top-report.txt
Create an entry for each CPU core, and possibly another if the CPU(s) has hyperthreading:
Stopped and started again the HTTP proxy
service mdw restart (from root)
Warning: it doesn’t cause a complete reboot, but it does cause an HA failover, interruption of any up/downloads and VoIP calls, etc.
Find what is taking the space type:
- df will only tell you how full the disk is.
- du will tell you what files/folders are using the most space.
We recommend the following commands to find the offending directories:
du -sh *
What kind of CPU
Determine if the disk is overloaded
vmstat -d 5
vmstat -d | head -2 ; vmstat -d 5 | grep hda
If hda is your hard disk; sda for SCSI. That should have similar output. The ‘5’ is 5 second updates.
You will have to look at the differences between the lines to figure out how many IO’s you’re getting in those 5 seconds, and whether you’re saturating the disk or not.
See detailed info about your eth
# ethtool eth1
Webadmin passwd lost
A user may use the following commands to reset the system passwords:
Upon saving the file and exiting, the admin may immediately navigate to WebAdmin and re-specify all passwords for the system accounts of Astaro Security Linux.
DNS Flush cache option missing in V7 and above
The current workaround is to restart the DNS proxy from the command line as root with the following command:
To change version number
Login on Sophos UTM as loginuser:
Save the file and then restart the ASG so the new version is displayed in Webadmin dashboard.
Change NIC order
Login on Sophos UTM as loginuser:
Save the file and restart the ASG so the new order is loaded.
Locked out – How to regain all logins V7.2
- Shutdown the firewall and connect a screen and a keyboard to the firewall.
- Power on the firewall, wait until the GRUB-loader starts and press ESC.
- Select Astaro Security Gateway 7.2 (Not previous or rescue!).
- Press e to edit and select the 2nd entry.
- Press e once again and enter init=/bin/bash.
- Press ENTER and b to boot up.
- Now you are able to change the passwords for loginuser and root.
- After that press CTRL + ALT + DEL to reboot the system and wait until you get the login prompt
Reset to factory settings
Login the command-line as loginuser, afterwards as root and enter following commands to restore to factory settings:
cc [Press ENTER]
RAW [Press ENTER]
system_factory_reset [Press ENTER]
The system will automatically shutdown when it’s finished.