Scribd
Upload
91 views7 pages

Commands

Uploaded by

jagdishrj92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
91 views7 pages

Commands

Uploaded by

jagdishrj92
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

For routing issues:

How to change IP address on XG


ifconfig Port4 192.168.128.4 netmask 255.255.255.0
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
--------------------------------------------
Routing table on XG for ipsec:
ip route show table 220

Routing table show all:


ip route show table all

console> system diagnostics utilities route runconfig-show


console> system diagnostics utilities arp show

• Move log file to temp before extracting because unable to extract from log
file.
• Email protection – smtpd service
• Xstream firewall engine
• Sslx (snort)-service for web protection
• Ips (snort) service
• Sqllite (garner) - syslog (all events – heartbeat, endpoint certificates).
• Fast path fw doesn’t go through dpi.

===================================================================================
===========
Memory issues:

XG210_WP03_SFOS 19.5.3 MR-3-Build652# df -kh


Filesystem Size Used Available Use% Mounted on
none 163.1M 11.0M 139.9M 7% /
none 3.8G 492.0K 3.8G 0% /dev

XG210_WP03_SFOS 19.5.3 MR-3-Build652# top


top - 17:13:21 up 12 days, 21:04, 3 users, load average: 2.39, 2.15, 2.03
Tasks: 389 total, 1 running, 387 sleeping, 0 stopped, 1 zombie
%Cpu(s): 11.8 us, 20.8 sy, 0.0 ni, 20.8 id, 37.7 wa, 0.0 hi, 9.0 si, 0.0 st
MiB Mem : 7750.7 total, 200.0 free, 7454.6 used, 96.1 buff/cache
MiB Swap: 6102.2 total, 3051.3 free, 3050.9 used. 17.4 avail Mem

XG210_WP03_SFOS 19.5.3 MR-3-Build652# csc custom status

=====
Wed Nov 15 17:08:18 2023
Listerner is in UNFREEZED STATE
Freeze INIT wait val : 10
Freeze wait val : 120
Opcode queue len : 50
Service queue len: 50

G210_WP03_SFOS 19.5.3 MR-3-Build652# cat /proc/meminfo


MemTotal: 7936764 kB
MemFree: 209804 kB
MemAvailable: 27672 kB
Buffers: 13608 kB
Cached: 63068 kB
SwapCached: 713404 kB
XG210_WP03_SFOS 19.5.3 MR-3-Build652# ls -larth /var/cores/
-rw------- 1 root 0 19.9M Mar 9 2020 core.sandbox_reportd
-rw------- 1 root 0 17.2M Nov 11 2022 core.access_server
-rw------- 1 root 0 23.4M Jul 13 06:48 core.readobject
-rw------- 1 root 0 73.9M Sep 17 03:04 core.garner
drwxrwxrwt 2 root 0 4.0K Sep 17 23:58 .
drwxr-xr-x 46 root 0 4.0K Nov 15 16:17 ..
XG210_WP03_SFOS 19.5.3 MR-3-Build652#

==============================================================================

Hardware issues:

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# cat syslog.log | grep BusyBox

Aug 07 02:28:13Z (none) syslog.info syslogd started: BusyBox v1.31.1

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# cat syslog.log | grep DRDY

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# cat syslog.log | grep media

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# cat syslog.log | grep I/O

• Tried to check IPS logs, syslogs, garner logs, postgress logs

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# tail -f garner.log


ERROR Aug 22 13:30:08Z [4120218432]: queueOutput[CentralReporting]CFR potential
truncation of log: dlen = 4370 ret_val = 4373 sizeof(data_t) = 4372
ERROR Aug 22 13:30:08Z [4120218432]: write_data2_file[CentralReporting] Failed to
write into a queue file

SFV2C4_AZ01_SFOS 20.0.1 MR-1-Build342# tail -f postgres.log


23219 2024-08-07 02:12:27.318 GMTFATAL: terminating connection due to administrator
command
16525 2024-08-07 02:12:25.890 GMTFATAL: terminating connection due to administrator
command
===================================================================================
==========

TAR file:

cd /log

tar -cvzf var/AllXGLogs.tar.gz /log/*

grep Togg /log/csc.log | tail -n 1

===================================================================================
=========
TCPDUMP

cpdump -veni any host IP_ADDRESS

tcpdump -veni any host IP_ADDRESS -s0 -w /var/tslog/tcpdump.pcap (to save to a pcap
file)

All in one command


tcpdump -nei any host 192.168.99.100 > /var/BO.txt & drppkt host 192.168.99.100
> /var/BO.txt & conntrack -E | grep 192.168.99.100 > /var/BO.txt & tcpdump -nei any
host 192.168.99.100 -s0 -b -w /var/BO.pcap

# tcpdump -nni Port1 host 192.168.7.76 -s0 -w /tmp/port1LAN-2.pcap &

# tcpdump -nni Port2 host 203.27.179.146 -s0 -w /tmp/port2WAN-2.pcap &

console> tcpdump 'host 192.168.10.10'

# conntrack -E --src 192.168.7.76 > conntrack_VOIP.txt

• tcpdump -ni Port3 host 192.168.1.2 and port 443

• tcpdump -ni any icmp

===================================================================================
==
DRP PKT

drppkt This command displays the packets dropped by firewall rules. It will provide
connection details and details of the packets processed by the device. This will
help administrators to troubleshoot errant firewall rules. You can also filter the
dropped packets.

drppkt host 10.10.10.1 and port 21 (This will display all dropped packets for host
10.10.10.1 and port 21)

How to view traffic of a ...

drppkt command

Example
specific host
drppkt host <ipaddress>

drppkt host 10.10.10.1

specific source host

drppkt src host <ipaddress>

drppkt src host 10.10.10.1

specific destination host

drppkt dst host <ipaddress>

drppkt dst host 10.10.10.1

specific network

drppkt net <network address>

drppkt net 10.10.10


specific source network

drppkt src net <network address>

===================================================================================
=======

Conttrack

Conntrack Source IP or Hostname

-E = Events

conntrack -E -s IP_ADDRESS OR HOSTANAME

conntrack -E -s IP_ADDRESS OR HOSTANAME >> /var/tslog/conntrack_source.log (to save


to a file)

Conntrack Destination IP or Hostname

conntrack -E -d IP_ADDRESS OR HOSTANAME

conntrack -E -d IP_ADDRESS OR HOSTANAME >> /var/tslog/conntrack_destination.log (to


save to a file)

If you want to delete the conntrack

Conntrack -D -d IP_ADDRESS

Conntrack -D -s IP_ADDRESS
===================================================================================
========

Start and stop services

rservice <servicename>:start/stop/debug/restart -ds nosync

Checking if all services are running properly

service -S | sort

How to restart services

https://community.sophos.com/sophos-xg-firewall/f/discussions/110323/restart-
application-and-url-filtering-services-from-cli

Please use the command as followed:

SFVH_SO01_SFOS 17.0.0 GA# service <servicename>:start/stop/debug/restart -ds nosync

You'll get a list with all services using:

SFVH_SO01_SFOS 17.0.0 GA# service -S


lcdd UNTOUCHED
postgres RUNNING
sigdb RUNNING
reportdb RUNNING
crreport UNREGISTERED
awarrensmtp UNREGISTERED

XGS3300_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary# service tomcat:restart -ds


nosync
200 OK
XGS3300_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary#

XGS3300_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary# service tomcat:restart -ds


nosync
200 OK
XGS3300_RL01_SFOS 19.5.3 MR-3-Build652 HA-Primary# service apache:restart -ds
nosync
200 OK

===================================================================================
=======================
CLI Links:

Device console

https://doc.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/
CommandLineHelp/DeviceConsole/index.html#tcpdump
Sophos Firewall: CLI Troubleshooting Tools

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/117389/sophos-
firewall-cli-troubleshooting-tools

Sophos Firewall: Create and download packet captures

https://support.sophos.com/support/s/article/KB-000037007?language=en_US

Configure capture filter

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/
AdministratorHelp/Diagnostics/PacketCapture/
DiagnosticsPacketCaptureFilterConfigure/index.html

Sophos Firewall: How to TCPdump

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/114837/sophos-
firewall-how-to-tcpdump

Sophos Firewall: Monitor dropped packets using command line

https://support.sophos.com/support/s/article/KB-000036858?language=en_US
===================================================================================
===================================

===================================================================================
===============================

IPSEC site to site

XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ip route show table all


XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ip xfrm policy
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ip xfrm state
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# cat /proc/net/xfrm_stat
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ipsec statusall
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# route -n
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ip route show table 220
XGS2100_RL01_SFOS 19.5.2 MR-2-Build624# ip ro get 195.29.181.235
195.29.181.235- should be replaced with your destination IP address

===================================================================================
================================
FSCK reboot

SFV2C4_AI01_SFOS 20.0.0 GA-Build222# cish


console> system fsck-on-nextboot on

console> system fsck-on-nextboot on


Check filesystem : On
console>

Adbavcned- type reboot


===================================================================================
========================
Sophos Firewall: Set up a serial connection with a console cable

https://support.sophos.com/support/s/article/KB-000035769?language=en_US

Skip multi-factor authentication for next admin user login

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/
CommandLineHelp/SystemSettings/SkipMFAforAdmin/index.html
===================================================================================
=======================

VAR partion increased

Please refer the below docs for var size increase and workaround on it:

https://community.sophos.com/sophos-xg-firewall/f/discussions/136642/sophos-xg-
450---var-newdb-base-16386-full

https://support.sophos.com/support/s/article/KB-000042543?language=en_US

https://community.sophos.com/sophos-xg-firewall/f/discussions/136211/sophos-xg---
config-disk-usage-exceeded-the-threshold

https://community.sophos.com/sophos-xg-firewall/f/discussions/137145/reports-disk-
usage-reached-90-exceeding-the-higher-watermark-of-90
===================================================================================
=======================

Purge the report:

Log settings

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/
AdministratorHelp/SystemServices/LogSettings/index.html

Data management

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/
AdministratorHelp/Reports/ReportSettings/configdatabase/index.html
Manual purge

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/
AdministratorHelp/Reports/ReportSettings/manualpurge/index.html

You might also like