Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 17990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT logs

techeme

Hi all,

I guess it's a simple question: but where can Masquerading/NAT logs be found?

Thank you in advance



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Eric, and welcome to the UTM Community!

    You can selectively log NAT rules, and that shows up in the firewall logs.  There is no way to log masquerading. What problem are you trying to solve that lead you to ask this question?

    Cheers - Bob

  • 0 in reply to BAlfson

    Thanks for the answer. Too bad for the masqerading logs.

    On one of our UTM, the IPS was activated on the WAN interface. Not very useful, but whatever. What is strange is that it dropped some packets originating from our WAN interface IP and targeting some Amazon servers. I was trying to know what sent these packets, with the assumption that it was not my UTM who really sent them.

    I have nothing in the firewall logs that match neither the target IP at the time the IPS drop these packets.

    So I was willing to take the other approach and see if NAT could tell us who was masquerading with this port on the WAN IP at this time.

    I guess I am in front of a deadend then, without possibility to investigate further.

    For information, the IPS rule that was triggered:

    36825

    PUA-ADWARE DealPly Adware variant outbound connection

    Malware

    12
  • 0 in reply to techeme

    Please show the complete line from the log file.

    Cheers - Bob

  • 0 in reply to BAlfson 
    Sure, here it is:

    2016:03:15-12:15:03 <firewall name> snort[15316]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-ADWARE DealPly Adware variant outbound connection" group="500" srcip="<our WAN IP>" dstip="<some public Amazon IP in Ireland>" proto="6" srcport="25882" dstport="80" sid="36825" class="Misc activity" priority="3" generator="1" msgid="0"

    Regards
Reply
  • 0 in reply to BAlfson 
    Sure, here it is:

    2016:03:15-12:15:03 <firewall name> snort[15316]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-ADWARE DealPly Adware variant outbound connection" group="500" srcip="<our WAN IP>" dstip="<some public Amazon IP in Ireland>" proto="6" srcport="25882" dstport="80" sid="36825" class="Misc activity" priority="3" generator="1" msgid="0"

    Regards
Children