Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 5019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I count which firewall rules are used?

stephang_01
I would like to create a spreadsheet listing each firewall rule and how often it is invoked.  I downloaded the Firewall Rules log and there is a "fwrule" column, but for thousands of lines, only three different rules are cited.


This thread was automatically locked due to age.
Parents
  • 0
    Many fwrules, in the log,  are internal firewall rules and don't have a direct correlation to the firewall rules seen in WebAdmin.  Example, fwrule 60001 is NOT firewall rule 1 in WebAdmin.  https://www.sophos.com/de-de/support/knowledgebase/115029.aspx

    If you edit your firewall rules, click advanced, then tick the box for Log Traffic, traffic that triggers a rule will show the WebAdmin rule number (1, 2, 3, 4, etc) in fwrule.  Be aware that based on the hardware you have your UTM running on and the amount of traffic flowing through, this can be very detrimental to system performance.  I would suggest doing this for a finite period of time, then disabling Log Traffic for your rules.  This will establish a baseline.  Then you can redo this on some sort of schedule to get how the data changes over time.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply
  • 0
    Many fwrules, in the log,  are internal firewall rules and don't have a direct correlation to the firewall rules seen in WebAdmin.  Example, fwrule 60001 is NOT firewall rule 1 in WebAdmin.  https://www.sophos.com/de-de/support/knowledgebase/115029.aspx

    If you edit your firewall rules, click advanced, then tick the box for Log Traffic, traffic that triggers a rule will show the WebAdmin rule number (1, 2, 3, 4, etc) in fwrule.  Be aware that based on the hardware you have your UTM running on and the amount of traffic flowing through, this can be very detrimental to system performance.  I would suggest doing this for a finite period of time, then disabling Log Traffic for your rules.  This will establish a baseline.  Then you can redo this on some sort of schedule to get how the data changes over time.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?