Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 1591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging - how to find problems?

Kosta88

Hello,

so I have some basic rules in the firewall, and now I want to get more granular.

Say I have an iPhone weather-app trying to connect, and it fails. Now I want to see on the firewall what is blocking it. (yes, I do know by heart what it is, but I want to read it out)

How do I do it?

I tried: Log Viewer, Filter iPhone IP, Firewall -> and it doesn't show me anything. At least not for a while, only after some minutes. So I can't use it for live analysis or rules or anything.

Am I missing something?



This thread was automatically locked due to age.
Parents
  • 0

    Welcome to the XG limited logging issues. There is also CLI stuff but that doesn't help with the what you are using as an example.

    There is another thread in the XG forums about improving XG reporting, I suggest you locate it and add your 10c to it.

    Ian

    Ian

Reply
  • 0

    Welcome to the XG limited logging issues. There is also CLI stuff but that doesn't help with the what you are using as an example.

    There is another thread in the XG forums about improving XG reporting, I suggest you locate it and add your 10c to it.

    Ian

    Ian

Children
  • 0 in reply to rfcat_vk

    First of all, XG is not logging the traffic, which gets dropped by the Default Firewall. 

    Does your Firewall include "ANY" services? 

     

    Lets start at the beginning.

    https://community.sophos.com/kb/en-us/131951

     

    I would recommend to disable invalid Traffic:

    https://community.sophos.com/kb/en-us/131754

     

    If you want to log Default Drop Traffic: 

    https://community.sophos.com/kb/en-us/132117

     

    If you want to join the CLI and log there: 

    https://community.sophos.com/kb/en-us/123185

     

     

  • 0 in reply to rfcat_vk

    "Awesome."

    This is virtually a no-go for me.

    After couple of days with XG, I'm sure I will not switch for now. Our 3yr license for Sophos expires in January 2021, so I think I might be looking at other solutions.

    Even been thinking of going open source firewall or Fortigate, and separately going for centrally managed A/V solution. Currently using Sophops Central on some clients, but honestly it's too expensive. I didn't even cover all clients and servers I would want to cover, and it's still way more expensive than products like Bitdefender or ESET. Not sure really if it is better though. I know they market Intercept X (and we do have it), but never had a compromise yet.

  • 0 in reply to LuCar Toni

    No, I deleted all default made rules and left the deny only rule. I created my own set of rules, just some basic ones like HTTP/S and DNS, so that I can surf, and then started trying out some stuff. As I explained, on the UTM I would pop up the live log and observe what is coming from where. I would filter a device (IP) and start doing stuff on it - and then see what I need to allow. Also my UTM is very strict, I either have service set and destination to anything but any, or I have service any, and very limited source/destination. I wouldn't dream of doing it any other way really. The only reason sometimes doing any is if I am confronted with a DC, or some servers requiring lots of ports, these get any, but as above, very limited src/dst.

    Still, all the links you provided show the same log, which is not live and I cannot troubleshoot effectively. Even if the console would deliver, I would expect a GUI log. Maybe at later point Sophos will implement it.

  • 0 in reply to Kosta88

    You need a Default drop rule, as i explained above.

    You will see all dropped Packets on each ports in the Log viewer. There could be a small amount of delay, on the other hand, it is more graphical build. 

    Live Log on UTM will only cover the module, you are in (Firewall for example) - Not all modules. Proxy drops for example. 

     

    As an example:

     

    Having a look at the live log:

     

     

    It is nearly Live on my Box. 

    I can see, there is Port3400 Traffic (RED Appliance) and a SSH attempt. 

     

    By using advanced view, it is possible to see the plain text Log. 

    Or mouse over. 

     

     

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    what you consider to be a disadvantage, others (and I think there are many of us) consider it an advantage! Compared to XG UTM v9 it writes logs for each activated security module to a separate log file. And for every such activated security module you can open Live Log at any time so you can see LiveLog for firewall, proxy server, IPsec gateway etc. at the same time. You may consider it a disadvantage, but I consider it a big advantage. And every day at midnight every log file is compressed and stored in the log file archive. Could you please show me where this in my opinion absolutely elementary functions ( separeted logs for each security modul and log management features) provides after 5 years of development of XG?

    These are exactly the functions that every firewall administrator needs. I really don't see any advantage when XG writes IPsec tunnel activation / deactivation information to the System log + antivirus database update information + IP address assignment by DHCP server + created configuration backup etc .. Do you really think that this is correct?!?

    Please stop telling us finally how XG is a unique product when anyone and anytime is able to refute this lie!

    Regards

    alda

    P.S. If you read at least carefully what we have been writing for almost 5 years ...

  • 0 in reply to alda

    How does this post help the poster at all? 

    I am simply here to help other users in my free time. As always, please keep this threads clean. 

  • 0 in reply to Kosta88

    ,

    to be able to help you, please describe if you are decrypting your HTTPS traffic, which firmware are you running and more info about the app get blocked.

    , is correct and he has a lot of experience in the field. Let's try to help the customer here but coming from any appliances, XG does not log noting if you are decrypting HTTPS traffic.

    I have already posted examples with Skype and Teams where I spent hours before finding the issue. Hope that this is clear and for logging and reporting, there are no excuses! XG most of the time on logging is just DUMB!

    Regards

     

  • 0 in reply to lferrara

    Luk, yes, http/s rule is (was) set to decrypt, but I soon turned it off since I wasn’t able to access most of websites any more - didn’t explore it further and turned it off then. But really, that doesn’t impact the logging in any way really.

    As I described, the port requested by iPhone is actually APNS (5223). And this port does appear as red in the log viewer, but after a long time. Even if I try it couple of times, it will have a big delay. I am not saying that it’s not working, but it’s unusable for me. The log viewer is more of general info if you will. There is no troubleshooting with it.

    My version is latest, I believe it’s .339.

    And I will also agree with Alda, I also find it useful to have log per module, I can open multiple logs and have it all very cleanly displayed. The most important thing is that I have it really live while testing the rules. There are some features in the XG log that I do find better, for instance which rule applies, but honestly, even when having 100 rules, I can find the rule quite quickly. What’s more important is the system you have. It seems to me that UTM is for power admins, and XG is nice graphics but way less behind it. XG was for me easier to understand and set up. But that is not something that I would deem important on the firewall.

    I also do understand what integrated security brings with clients running Sophos software (we do have that), and is the reason why I am exploring XG. But as I said, way less polished, keeps me back at what I can do and is frustrating.

    The only reason UTM is pushing me to move is the development which has virtually stopped. No IKEv2, no Wireguard, Let’s Encrypt limited, and generally old web filtering (missing categories). I have to take Sophos Central for that, and I think that’s an overkill. I’d rather be able to do it on the firewall, like on the XG. They should take UTM and develop it to XG and not some other software and start from scratch. My 2c.