Hi
I have noticed weird logging and reporting behavior on the XG when transfering more than 4GB during one connection session.
I tried to reboot the firewall, but no difference. You can see results of some of my tests below. Reports and policy counters were clean before the tests.
After transfering 1GB file the session is logged correctly in log viewer. See sent bytes in image below:
After transfering 3GB file in new session (remount of cifs share) its also logged correctly in log viewer. See sent bytes in image below:
But after transfering 5GB file in new session (remount of cifs share) its logged wrong. See sent bytes in image below. Its only shows around 1GB of data (does the counter overflow on 4GB?):
When checking the session in live connections, before I umounted the NAS it was showing correct amount of data. See upload transfer on image below:
Also the firewall policy counter shouws correct ammount of total data that I transfered during this testing (1GB+3GB+5GB = 9GB). See out on image below:
Reports also show wrong data. It shows only 5GB total. That corresponds with what I saw in log viewer, where the last 5GB session was logged as 1GB only. See report image below:
What is also bugging me is that sophos XG logs and reports sessions only after they end. That is probably a feature and not a bug, but its very wrong in my opinion. I have for example NFS sessions that are up for 30 days between two servers (reboot only during monthly update cycle) and its not reported or logged anywhere in the XG. I can see it between live connections, but its not in the reports until I actualy remount the NFS (session is closed and new one is created). I would much more prefere a behavior that I see for example on fortinet fortigate firewalls, where it works like described below:
"Each ongoing session generates a statistic log every two minutes, starting two minutes after the session was established. This means a session can generate multiple logs over its lifetime.
After the session is closed, a final log with overall stats will be generated"
Am I missing something here? Can somebody confirm this behavior? So far I am not very pleased by the sophos XG logging and reporting. Unless I am doing something horribly wrong I think that it needs a lot of improvements....
I am currently testing sophos XG 18 MR4 on VM with 1CPU and 4GB of RAM. Its home license.
This thread was automatically locked due to age.
