Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 5460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rubbish logging

PaulRoberts

Sorry but I am struggling a bit with logging, either I am doing something wrong or it's just rubbish.

I have defined an explicit policy rule to drop all outbound traffic coming from a single IP address, I know it works because the client goes off-line, I have enabled logging on the rule, I want to see in the logs what traffic from that client is being dropped. I don't seem to be able to find this. Web filter logs show which URL's are being denied, but what about all the other non-web traffic, e.g. DNS or generic TCP/UDP connections? Security policy just shows the rule being hit, IPS shows some stuff but not sure if it's showing everything as it seems to be reliant on signatures.

I just want one place where I can see all the ports/protocols that are being dropped, why is it so hard to see this? Am I missing something?

Cheers,

Paul



This thread was automatically locked due to age.
  • 0

    Hi Paul,

    You can navigate through the option System > Diagnostics > Log Viewer> View logs for- Security Policy. Here, you can find dropped traffic due to other probable reasons.

    Thanks

  • 0

    I'm also new to Sophos and I think the XG GUI has a lot of "missing links" (ex. breadcrumb menu does not have links) trying to make the GUI smart and usable for novice people by removing all the "facts" and details. As I see it you don't get any usefull details about what has been dropped, which can help you create new rules or take specific action on traffic from specific sources/clients/users etc.

    When creating firewall rules the "Identity" section should also be turned off by default. Firewall rules are not made for specific people per default, but for services (by port). Put the Identity section in the bottom of choices.


    But try navigate to System > Diagnostics > Packet Capture - that helped me setting up new rules/policies.