Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1965 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise Console - auditing firewall blocks

Neon
I am using the Enterprise Console 5.1. What is the best way to browse the Sophos log files for machines that I manage? Or better yet, is there a console dashboard or report that will show me details on all the blocked communication attempts on a particular machine or machines? We're just rolling out Sophos, and I want to watch my firewall events to make sure I'm only blocking what I want to block on various machines. I have found the report that shows me blocks, but it's woefully inadequate for driving further action. I just get a block time, the blocked application, and system name. I really want a direction, as well. When I'm actually on a managed system and pull up the Sophos console, it's got a nice interface to view activity/logs. Where is that on the Enterprise Console? Thanks!
:29491


This thread was automatically locked due to age.
  • 0

    Hello Neon,

    as you say report I assume these are what you looked at. Far better for what you want is the Event Viewer - from the View menu. It has more details and you can also create rules from the events.

    HTH

    Christian

    :29499
  • 0

    I assume you mean

    Events -> Firewall Events, which brings up the "Firewall - Event Viewer" window.

    This could work on a basic level, but it's excrutiatingly simplistic. For instance, I have no chance to see which system contributed an event (so no idea where to go for troubleshooting, what rule caused it to come in, and actually still doesn't show me all the blocks that I'd like. This screen looks like it is geared for application-level events.

    The actual endpoint console's log viewer screen is excellent, and I was hoping for something like that available via the Enterprise Console.

    :29515
  • 0

    Hello Neon,

    correct. That the Event Viewer does not show computer and user (as other categories do) is definitely a shortcoming. SCF hasn't seen dramatic changes for quite some time, you might have noticed that it is still on the 2.x version which has been introduced with SEC 4.0 (surprisingly 1.5.4 as well as 2 are is still listed as current versions) . There's a new version in the works in conjunction with Windows 8 - I expect it will contain more features in addition to the OS support (or maybe not). They are also running out on minor numbers on the 2.x line (with the current being 2.9) thus I speculate that the next will be a 3.x (and if it's "synched" again with SEC it should be 3.2 or above :smileywink:).  

    Why not make yourself heard by submitting a feature request (supplementing your post in the forum) - it probably has more weight.

    Christian

    :29541