Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 915 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mirror VPN traffic terminated into Sophos XG running 17.5.12 MR-12

Steve Gyurindak

I am new to Sophos so I am looking for some help.  My customer came to me and he would like to mirror all the VPN traffic that terminates through his Sophos XG.  The reason is that the traffic terminates and then exits to a device where mirroring of the traffic is not possible (it is owned by the carrier).

Is there a way to mirror (SPAN) traffic terminated from VPN connections to an interface in an Sophos XG running 17.5.12 MR-12?



This thread was automatically locked due to age.
Parents
  • 0

    SPAN or Port mirroring is not included in XG. From a perspective of networking, this is more likely a Switch topic. Most Port mirroring solutions only mirror everything, not protocol or even application based. 

    XG can "see and report" a port mirror. So you can attach a tap port to XG. But you cannot mirror everything. 

    BTW: The use case of the customer seems odd to me. Does he want to decrypt this by his own (with wireshark or other solutions?). 

  • 0 in reply to LuCar Toni

    It is a security solution that takes full packet captures and analyzes the data to report on the device details (make/model/category/type), os, activity, threat, risk and every ip connection made.

  • 0 in reply to Steve Gyurindak

    Always ask such solution how they interact with TLS encrypted traffic. Because most likely they cannot see anything in such mirror traffic anymore.

  • 0 in reply to LuCar Toni

    You can glean from which address the client is using, what mac-address, what is the public address, which service in Azure they are going to, how much traffic is exchanged in each direction, which ciphers are used, which hash.  You get to look at the certificates for their information and validity.  There is a lot of metadata there...you don't need to see the payload.  Now that that information with the other logs you have from the EDR, the servers and any other solutions and you have a clear, auditable view of what is going on in your environment.

Reply
  • 0 in reply to LuCar Toni

    You can glean from which address the client is using, what mac-address, what is the public address, which service in Azure they are going to, how much traffic is exchanged in each direction, which ciphers are used, which hash.  You get to look at the certificates for their information and validity.  There is a lot of metadata there...you don't need to see the payload.  Now that that information with the other logs you have from the EDR, the servers and any other solutions and you have a clear, auditable view of what is going on in your environment.

Children
No Data