How to Configure Sophos Firewall XGS Rules and NAT from the CLI

The Sophos Firewall XGS is administered primarily through its web console (Sophos Firewall OS, SFOS), but the command-line console is indispensable for diagnostics, troubleshooting dropped traffic, and a handful of low-level system settings. This guide from SKYLINE walks through accessing the console, working with firewall rules and NAT, and capturing live traffic — using only real, verified SFOS commands. Never invent flags; when unsure, press Tab to list valid arguments or ? for descriptions.

1. Accessing the Sophos Firewall Console

You can reach the console two ways: a physical serial/RJ45 console cable, or remotely over SSH (for example with PuTTY). SSH access must be enabled first — by default it is restricted. Connect to the firewall's management IP on the SSH port and log in with the admin credentials. You are presented with the SFOS Main Menu:

1.  Network Configuration
2.  System Configuration
3.  Route Configuration
4.  Device Console
5.  Device Management
6.  VPN Management
7.  Shutdown/Reboot Device
0.  Exit

For rule, NAT and traffic diagnostics, choose option 4 (Device Console). From there you can list available commands by pressing Tab:

console> clear            ping             telnet
         disableremote    ping6            telnet6
         dnslookup        set              traceroute
         dnslookup6       show             traceroute6
         drop-packet-capture  system       tcpdump
         enableremote

2. Enabling and Disabling Remote SSH

To allow remote SSH connections to the firewall (for example to manage it from your management subnet), use:

console> enableremote

To turn SSH access off again when you are done:

console> disableremote

Always restrict SSH to trusted management networks in your firewall policy — never expose the console to the WAN.

3. Inspecting Firewall Rules and NAT

The show command displays current configuration objects. Useful read-only views include:

console> show nat-policy
console> show advanced-firewall
console> show ips-settings
console> show static-route
console> show interfaces

Firewall rules and NAT rules themselves are created and edited in the web console, not the CLI. In the web admin:

• Firewall rules: go to PROTECT > Rules and policies > Firewall rules. Each rule defines a source zone, source networks, destination zone, destination networks, services, and the action (Accept/Drop/Reject). Build least-privilege rules — avoid setting services to Any.
• NAT rules: go to PROTECT > Rules and policies > NAT rules. Use SNAT (masquerading) with the outbound interface set to your WAN for outbound traffic, and DNAT (or Full NAT) with the inbound WAN interface specified to publish internal servers on a public IP.

The CLI is then used to verify and troubleshoot what those web rules actually do to live traffic.

4. Translating System-Generated Traffic with sys-traffic-nat

Forwarded traffic is NAT-ed by your NAT rules, but traffic the firewall itself generates (authentication, DHCP relay, and similar) is handled separately. Translate system-generated traffic with the set advanced-firewall sys-traffic-nat subcommand from the device console (Main Menu option 4). For example:

console> set advanced-firewall sys-traffic-nat add destination <ip> netmask <mask> interface <iface> snatip <ip>

5. Route Precedence (SD-WAN / Static / VPN ordering)

When multiple route types could match a flow, SFOS uses a configurable precedence order. Check the current order with:

console> system route_precedence show

And change it (for example to make static routes take priority over SD-WAN policy routes) with:

console> system route_precedence set

This is a common fix when VPN or SD-WAN traffic takes an unexpected path.

6. Hardware Acceleration (Xstream FastPath)

XGS appliances offload trusted flows to the Xstream Flow processor. The system command follows the pattern system [command] [option] <value>. For example, to enable firewall acceleration:

console> system firewall-acceleration enable

Disable it only for deep troubleshooting, as it materially affects throughput.

7. Troubleshooting Dropped Traffic with drop-packet-capture

When a rule isn't matching as expected, drop-packet-capture shows packets the firewall is dropping, with filter expressions just like tcpdump. For example, to watch drops for one host while excluding noisy NetBIOS:

console> drop-packet-capture 'host 192.168.10.50 and not port 137'

If the packets show up as dropped, your firewall or NAT rule order is the cause — adjust the rule in the web console and re-test.

8. Full Packet Capture with tcpdump

For deeper analysis you can run a standard tcpdump across interfaces and write to a file for offline inspection:

console> tcpdump -i any -nn host 192.168.100.220 -w /tmp/capture.pcap &

Capture across any interface, -nn to skip name/port resolution, filter by host, and write to /tmp. You can then download the pcap for analysis in Wireshark. Stop a backgrounded capture before it fills the disk.

9. Connectivity Diagnostics

The device console also includes the familiar network tools:

console> ping 8.8.8.8
console> traceroute 8.8.8.8
console> dnslookup sophos.com

Use IPv6 variants (ping6, traceroute6, dnslookup6) on dual-stack networks.

Need Help?

SKYLINE installs, configures, supports and troubleshoots Sophos Firewall XGS across Saudi Arabia. If you are sizing a rule base, debugging dropped traffic, or planning a migration in Riyadh, Jeddah or Dammam, our deep-dive deployment guide on Sophos XGS and Intercept X deployment for KSA goes further, or you can contact our engineers on +966 50 993 9334.