Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 440 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging not showing traffic for a certain rules or traffic type

MakoRantz

We are having something happen on our Firewall which we are implementing and can't quite get our head around it.

We have traffic coming from some clients. HTTPS specifically. We have a rule which allows HTTPS traffic from the clients IP to the WAN with no scanning of any kind. We have added a SSL/TLS exemption which they are hitting. DNS and HTTPS traffic to normal websites such as Google is fine. However these clients are also handling credit card transactions which are transversing over the 443 HTTPS. The traffic is working for the credit card transaction perfectly correctly. However, none of this traffic appears in the logs yet going to google.com does...... Except for the increase in data quota on the firewall rule itself you wouldn't know this traffic was passing through the firewall!

We have completed a tcpdump and a PacketTrace. The traffic is appearing in them....

Any reasons ?





Rather annoying and yet another oddity in the SFW which makes me nervious.



This thread was automatically locked due to age.
Parents
  • 0

    The main question is: How much traffic do you expect to transfer? 

    Because packets can be as small as Bytes. So having 4 MB on the firewall rule could be much, if the data is actually very small. 

    What you can do: Check the logviewer for this firewall rule (Rule74), then do a mouseover. You see the packets and Bytes tracked by the firewall. This could give you an indicator of "how much the data is". 

    You could also do a tcpdump on the CLI and write it to a file. Then compare it with the firewall rule. 

    __________________________________________________________________________________________________________________

Reply
  • 0

    The main question is: How much traffic do you expect to transfer? 

    Because packets can be as small as Bytes. So having 4 MB on the firewall rule could be much, if the data is actually very small. 

    What you can do: Check the logviewer for this firewall rule (Rule74), then do a mouseover. You see the packets and Bytes tracked by the firewall. This could give you an indicator of "how much the data is". 

    You could also do a tcpdump on the CLI and write it to a file. Then compare it with the firewall rule. 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML