Thread Info
  • State Not Answered
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 56 replies
  • Subscribers 34 subscribers
  • Views 11523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v18: Bug with data counting in firewall rules?

cryptochrome

Hi,

I am noticing a strange behavior in v18 and the data counting in the firewall rules. I have some incoming rules (from Internet to DMZ) that are coupled with corresponding DNAT rules. The DMZ contains webservers, so they send a lot more data than they receive. However, the counters in the rules are the other way around: They show a lot more incoming data than outgoing data. 

Unless I am completely misinterpreting these counters (which I would like to rule out), it appears to me these counters have been reversed, e.g. incoming is actually showing outgoing, and outgoing is showing incoming. 

Any thoughts?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi cryptochrome, 

    Could you please share the screenshot of the firewall rule that shows data in and out counters? I will verify if it should be like that or not and update you.

    Thanks,

  • 0 in reply to FormerMember

    Hi cryptochrome, 

    Could you please share the screenshot of the firewall rule that shows data in and out counters? I will verify if it should be like that or not and update you.

    Thanks,

     

    Sure, here you go:

    Firewall Rule:

    Corresponding NAT rule:

    Firewall Rule Details:

     

    Note that this is just one example. I am seeing the same "reversed" counter on other incoming rules. 

    How do you count the data? If someone on the internet initiates the connection and transfers a lot of data, does that count as incoming or outgoing?

  • 0 in reply to Prism

    Prism said:

    Also, genuine question, Why data counting directly on the rule in XG is so important for you? What's the best use-case scenario for it?
    Isn't it better to just use the Logs/Reporting function that already exists? I know both of them are bad compared to the competitors, but at least it "works".

    The thing is, it's not important to me at all :-)  When I opened this thread, I never expected a huge discussion like this. I just noticed the counters on my incoming rules were wrong and opened a post, thinking it may be a bug. And now here we are, haha. 

    I also don't care whether the counters are displayed right in the rule or whether I have to open a different view for it (reports, logs, whatever). It doesn't really matter. The whole point is: the counters that are there are wrong. Sending data out of the WAN interface and showing that as incoming traffic is just plain crazy :)

    Prism said:

    They don't show it like XG.

    Well... they do, actually. Some even directly in the rule (Fortinet), some others require a few additional mouse clicks, but the data is available. With proper directional display. 

    Prism said:

    Also after after 40 replies over this thread,Isn't it better to XG follow the industry standard and also use hit counters for the rules instead of just showing bandwidth, also please, show when the rule has first and last used.

    I would second this request. It would be very helpful in housekeeping scenarios. 

  • 0 in reply to Prism

    Also, since you guys keep mentioning XG reports and that the data is available there as well, I just took a look. I clicked on an application in the traffic dashboard and immediately had to laugh out loud and hard. Like if this would make any sense whatsoever:

    Mind you, this is for one application. It tells me the source and destination zones had the exact same amount of hits and data, which of course is utter nonsense. Another pointer at just how wrong Sophos calculate data. 

  • 0 in reply to cryptochrome

    People have been complaining about XG reports and logs since it came out.

    That's why I wrote: (but at least it "works".)

    I'm a optimistic person; But only god knows when the devs will do something about this.

     

    I hope the best for v18.5, so no one have to complain about this anymore.

  • 0 in reply to cryptochrome

    Would recommend to check Central Reporting. 

    https://community.sophos.com/products/xg-firewall/sfos-eap/central-firewall-reporting-eap/

    Central Reporting is waiting for Feedback from the community. 

    You can simply activate it in Central (EAP). 

  • 0 in reply to LuCar Toni

    Well, I completely forgot about this.

    Will be checking it out right now.

     

    Thanks!

  • 0 in reply to LuCar Toni

    That looks interesting. Does this require additional licensing? Or is it part of the XG license?

  • 0 in reply to cryptochrome

    https://www.sophos.com/en-us/medialibrary/PDFs/partners/whats-in-the-central-firewall-reporting-eap.pdf

    Licensing Collecting, storing, and aggregating firewall logs naturally requires compute and storage resources in the data platform. For the EAP, we are providing administrators with a rolling seven days of log retention and reporting data per firewall, at no cost. Additional details will be made available later regarding the licensing options for CFR, which will include both free and premium licensed capabilities.

     

    As mentioned, they are waiting for Feedback about their new product in Central (Called CFR). 

    There are some more option for reporting. 

  • 0 in reply to LuCar Toni

    I am using CFR and it does not add useful reporting at all. Sorry Luca but XG reporting is very bad. Please consider me to improve the reporting. Reporting and logging have the same problem: understand what is happening is very time consuming! Utm 9 has better reporting far away. I open privately for discussion.

    Regards

  • 0 in reply to lferrara

    Hi Guys

    I'm going to bookmark this thread so when I come to discuss the traffic counters with a customer I have some reference material to work through rather than using intuition. Thanks for all the helpful comments.

  • 0 in reply to LuCar Toni

    Hi All,

    Thank you for sharing your feedback regarding this topic. I'll forward these over to the Product Team for their consideration.

    Thanks  for your explanation and recommendations.

Reply Children
No Data