Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 736 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Could somebody post a sample firewall log?

road hazard

I'm in the process of evaluating firewalls for a few, small businesses I do support for on the side. I tried pfSense, OPNsense and Untangle and now it's Sophos XG's turn. I'm no firewall guru but was able to get one of my clients up and running with Untangle fairly quickly but I'd like to give Sophos XG a shot. The reason I picked Untangle vs pf or OPN is simple..... the firewall log files were super easy to read with Untangle. I know this sounds silly (and maybe my inexperience with pf and OPN unfairly disqualified them) but with pf and OPN, when incoming traffic was being blocked, I remember it was a nightmare trying to figure out the destination IP/port # for blocked traffic that was destined for an internal PC.

Example.... I knew traffic was coming in that a PC at the office was waiting on. Untangle was the only firewall (of the 3 I tested) that showed the internal destination of that traffic so it was easy to find and create a rule for it. With the 'sense' products, I could only find logging that showed all traffic being blocked at the WAN interface. I also had weird problems with Android apps on some of their smart TVs in the break rooms. With Untangle, everything just worked and tracking down dropped traffic was super easy.

Unfortunately, at my house here.... I don't have any PCs with dual NICs and getting Sophos running in Virtualbox is giving me fits (host OS is Debian) so I can't set up a test environment to get me the data I'm after.

So........ could some kind stranger post a sample log that shows traffic being blocked that is destined for an internal IP along with port #, protocol? I'm just curious how easy the Sophos log files are to read and if they show detailed data about dropped traffic.

Thanks



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hey, Welcome to the Sophos Community.

    With Sophos XG, You can get a brief overview of logs through the log-viewer built into GUI. Here is a sample snapshot of the denied and allowed logs from a test machine. (MAC & WAN Public IP are obfuscated)

     

    Hovering mouse over the Log Icon reveals more details;



    This one is for Denied traffic,



    If you're not able to setup a virtual environment to test Sophos XG, then you can check out a demo by registering here: https://secure2.sophos.com/en-us/products/next-gen-firewall/free-trial/xg-firewall-demo.aspx

    With the demo, you won't be able to simulate any scenario but can surely navigate the GUI and explore

  • 0 in reply to FormerMember

    Unless I'm wrong (which could be :) ).... that looks like something tried to get out and was denied. I'm curious how something is logged when a PC inside your network is waiting on something inbound and the firewall blocks it. Does it show the internal destination IP behind the fw (192.168.x.x)?

    Like....'Incoming traffic blocked.....dest. IP 192.168.x.x port # 999.'

    I -THINK- I have a box that I can set up tomorrow morning and test it myself on bare metal. I'm just worried that the onboard NICs might be too modern because pfSense and OPNsense couldn't detect them. The board is a Gigabyte H470I AORUS PRO AX and has Intel NICs. I'm going to find a 2.5" drive and see what happens in the morning.

    Side note..... do you think Sophos will ever offer a "pro home" type of license (to go past the 50 user limit) and still let you use your own equipment?

    Also, UEFI boot support on the free home product would be nice too! :)

  • 0 in reply to road hazard

    Hi,

    I think you are confusing UTM with XG. XG is limited to 4CPUs and 6gb of ram not number of connected devices. XG supports most intel NICs except i219 series which are considered home use only devices.

    I assume you are talking about an incoming rule WAN to LAN which would show up in the log a denied if an invalid attempt is made.

    Ian.

  • 0 in reply to rfcat_vk

    Whoops.....you're right. Sorry! I started looking at UTM and read that it was sorta on life support and Sophos was putting their energy into XG and was confusing the two.

    I tried installing XG onto my system last night but my motherboard REALLY hates legacy mode. The install was just fine but booting keeps failing due to XG lacking UEFI boot support. Going to keep messing with it for a bit more before I throw in the towel and just focus on Untangle.