Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Yeah, this would be a serious issue if the Log Viewer was truly reflecting what's happening.

Unfortunately the Log Viewer is mostly broken and doesn't report correctly on what the device is doing.

If you want to really know what's happening access the XG Firewall via SSH and use the command line tools.

The GUI is useful for creating objects, rules, interface status and the occasional report. Serious log analysis using the GUI will just leave you frustrated, confused, no hair and an endless stream of swearing.

2018 soon and still stuck using CLI ... 

Would you happen to have a list of those commands ?

Thanks

I'm back to MR1.

v17 MR2 have killed our access to Exchange OWA.

Too many problems with MR2.

This is nausea.

Hey Big_Buck

-Edited to correct my mistake-

Could you please also verify using the Packet Capture utility available in the diagnostic tools regarding this traffic?
Please also note the TCPdump tool available within the CLI. 

Thanks,

FloSupport | Community Support Engineer

/var/log does not respond.  Seems to not exist.

/var do exist and respond.

Hey Big_Buck 

Edit: My mistake and apologies, my mind was on another case/issue while I was responding. I mistakenly referenced the incorrect KB article and product.

Sent you a PM regarding this.

Hi flo,

not wanting to sound picky, but that looks and sounds like UTM not XG. No loginuser on XG.

Ian

I use putty 0.70 in SSH

There's no alternative but to log as "admin" (literally)  then punch the corresponding administrative password.  Unless I miss something.

 5850.untitled.txt 

Since nothing seems standard here, please reply and posts commands i could cut and paste on the telnet session.

PJR

here the command for TCPDUMP

tcpdump -i Portxx -w file.pcap -s0 -b

or just

tcpdump -w file.pcap -s0 -b

the file will be at /tmp because when you login to sophos and pick 5 and 3 will goes to /tmp folder. or just do

pwd

remember, at my /tmp partition, there only 5 Gig, so remove the PCAP file after you have tcpdump pcap file

the logs are at /log just do ls -la at root folder or

ls -la /

to move the pcap from XG just do

scp file.pcap root@xxx.xxx.xxx.xxx:/tmp

or using sftp whenever you like application and do analyze that pcap file from another machine

hope can help.

thank you

Thanks for this info.

Logs that indicates « drop traffic is allowed  anyway » happen mostly in « batch » with time in-between from minutes to hours.  Log file will eventually become gigantic.

Is it possible to dump logs on a USB key instead ? I could format a 64 gig USB key and plug into the appliance in seconds.

Windows SCP cannot connect to the XG210.  Connection is dropped.  Putty SSH putty works.  But not Putty sftp.  I have properly set things up in the XG210's administrative menu (ssh, https, et.c. are enabled.) 

PJR

Now I am getting ATP alarms !!!

Besides, allowed stuff can now be counted - excluding what is coming from our own network - at several hundreds.

​UTQ is also on alert mode.

"drop-all rule" has transported 13 meg of stuff today.  All desktops shutdown.

Really need to fix this log issue URGENTLY.

This situation is absolute non-sens.

​

you can not get the file from XG with traditional file transfer, try installing, winscp or filezilla server at the windows machine and turn off the windows firewall and transfer/send the file from XG to Windows, not from windows to XG.

yes ucan mount the USB for logging. just write the dump to usb that already mounted before with the command

tcpdump -w /mnt/file.pcap -s0 -b

you can not get the file from XG with traditional file transfer, try installing, winscp or filezilla server at the windows machine and turn off the windows firewall and transfer/send the file from XG to Windows, not from windows to XG.

yes ucan mount the USB for logging. just write the dump to usb that already mounted before with the command

tcpdump -w /mnt/file.pcap -s0 -b