Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 439 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging not showing traffic for a certain rules or traffic type

MakoRantz

We are having something happen on our Firewall which we are implementing and can't quite get our head around it.

We have traffic coming from some clients. HTTPS specifically. We have a rule which allows HTTPS traffic from the clients IP to the WAN with no scanning of any kind. We have added a SSL/TLS exemption which they are hitting. DNS and HTTPS traffic to normal websites such as Google is fine. However these clients are also handling credit card transactions which are transversing over the 443 HTTPS. The traffic is working for the credit card transaction perfectly correctly. However, none of this traffic appears in the logs yet going to google.com does...... Except for the increase in data quota on the firewall rule itself you wouldn't know this traffic was passing through the firewall!

We have completed a tcpdump and a PacketTrace. The traffic is appearing in them....

Any reasons ?





Rather annoying and yet another oddity in the SFW which makes me nervious.



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, for the rule id 74 can you share the screenshot which includes the security features and other security features as illustrated in the screenshot below ?

     the option Use web proxy instead of DPI engine is enable or disable ?
    Here is the difference to consider:

    And is Advanced protection enabled ? as it analyzes incoming and outgoing network traffic (for example DNS requests, HTTP requests, and IP packets) for threats.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi,

    I can drop the screenshots but actually your screenshots above are exactly like the rule we have setup. Everything is unchecked or set to none! Hope that makes sense.

    Thanks

    Ed

  • 0 in reply to MakoRantz

    I understand  , then under the security features for web policy can you select "Allow All" and enable the tick on option "Use web proxy instead of DPI engine." and then check and revert us with the results !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Will do but this might have to be Tuesday now as it is Easter weekend and we won't want to disrupt the payments. Will update on Tuesday.

  • 0 in reply to MakoRantz

    Sure take your time, Happy Easter  

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    The main question is: How much traffic do you expect to transfer? 

    Because packets can be as small as Bytes. So having 4 MB on the firewall rule could be much, if the data is actually very small. 

    What you can do: Check the logviewer for this firewall rule (Rule74), then do a mouseover. You see the packets and Bytes tracked by the firewall. This could give you an indicator of "how much the data is". 

    You could also do a tcpdump on the CLI and write it to a file. Then compare it with the firewall rule. 

    __________________________________________________________________________________________________________________

Unfiltered HTML