Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 1591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging - how to find problems?

Kosta88

Hello,

so I have some basic rules in the firewall, and now I want to get more granular.

Say I have an iPhone weather-app trying to connect, and it fails. Now I want to see on the firewall what is blocking it. (yes, I do know by heart what it is, but I want to read it out)

How do I do it?

I tried: Log Viewer, Filter iPhone IP, Firewall -> and it doesn't show me anything. At least not for a while, only after some minutes. So I can't use it for live analysis or rules or anything.

Am I missing something?



This thread was automatically locked due to age.
Parents
  • 0

    Welcome to the XG limited logging issues. There is also CLI stuff but that doesn't help with the what you are using as an example.

    There is another thread in the XG forums about improving XG reporting, I suggest you locate it and add your 10c to it.

    Ian

    Ian

  • 0 in reply to rfcat_vk

    First of all, XG is not logging the traffic, which gets dropped by the Default Firewall. 

    Does your Firewall include "ANY" services? 

     

    Lets start at the beginning.

    https://community.sophos.com/kb/en-us/131951

     

    I would recommend to disable invalid Traffic:

    https://community.sophos.com/kb/en-us/131754

     

    If you want to log Default Drop Traffic: 

    https://community.sophos.com/kb/en-us/132117

     

    If you want to join the CLI and log there: 

    https://community.sophos.com/kb/en-us/123185

     

     

  • 0 in reply to LuCar Toni

    No, I deleted all default made rules and left the deny only rule. I created my own set of rules, just some basic ones like HTTP/S and DNS, so that I can surf, and then started trying out some stuff. As I explained, on the UTM I would pop up the live log and observe what is coming from where. I would filter a device (IP) and start doing stuff on it - and then see what I need to allow. Also my UTM is very strict, I either have service set and destination to anything but any, or I have service any, and very limited source/destination. I wouldn't dream of doing it any other way really. The only reason sometimes doing any is if I am confronted with a DC, or some servers requiring lots of ports, these get any, but as above, very limited src/dst.

    Still, all the links you provided show the same log, which is not live and I cannot troubleshoot effectively. Even if the console would deliver, I would expect a GUI log. Maybe at later point Sophos will implement it.

  • 0 in reply to Kosta88

    You need a Default drop rule, as i explained above.

    You will see all dropped Packets on each ports in the Log viewer. There could be a small amount of delay, on the other hand, it is more graphical build. 

    Live Log on UTM will only cover the module, you are in (Firewall for example) - Not all modules. Proxy drops for example. 

     

    As an example:

     

    Having a look at the live log:

     

     

    It is nearly Live on my Box. 

    I can see, there is Port3400 Traffic (RED Appliance) and a SSH attempt. 

     

    By using advanced view, it is possible to see the plain text Log. 

    Or mouse over. 

     

     

Reply
  • 0 in reply to Kosta88

    You need a Default drop rule, as i explained above.

    You will see all dropped Packets on each ports in the Log viewer. There could be a small amount of delay, on the other hand, it is more graphical build. 

    Live Log on UTM will only cover the module, you are in (Firewall for example) - Not all modules. Proxy drops for example. 

     

    As an example:

     

    Having a look at the live log:

     

     

    It is nearly Live on my Box. 

    I can see, there is Port3400 Traffic (RED Appliance) and a SSH attempt. 

     

    By using advanced view, it is possible to see the plain text Log. 

    Or mouse over. 

     

     

Children
  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    what you consider to be a disadvantage, others (and I think there are many of us) consider it an advantage! Compared to XG UTM v9 it writes logs for each activated security module to a separate log file. And for every such activated security module you can open Live Log at any time so you can see LiveLog for firewall, proxy server, IPsec gateway etc. at the same time. You may consider it a disadvantage, but I consider it a big advantage. And every day at midnight every log file is compressed and stored in the log file archive. Could you please show me where this in my opinion absolutely elementary functions ( separeted logs for each security modul and log management features) provides after 5 years of development of XG?

    These are exactly the functions that every firewall administrator needs. I really don't see any advantage when XG writes IPsec tunnel activation / deactivation information to the System log + antivirus database update information + IP address assignment by DHCP server + created configuration backup etc .. Do you really think that this is correct?!?

    Please stop telling us finally how XG is a unique product when anyone and anytime is able to refute this lie!

    Regards

    alda

    P.S. If you read at least carefully what we have been writing for almost 5 years ...

  • 0 in reply to alda

    How does this post help the poster at all? 

    I am simply here to help other users in my free time. As always, please keep this threads clean.