Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
We are using Sophos UTM as a web proxy, we have multiple internet interfaces.
I'm using a "Multipath" rule to send certain domains out of a certain interface.
But where and in what log will it show me what traffic is going out of what interface ? Although the multipath rule is working (i Think) I need to confirm a few things (I suspect that HTTP traffic is working fine as domains as specified as example.com load fine via HTTP, inc subdomains but not on HTTPS)
Start with the web filtering logs. If you are seeing a lot of Bad Gateway / Host Not reachable events logged, it might be your multipath. Since the symptoms seem related to protocol (HTTP vs HTTPS), it most likely has nothing with packet routing, and the logs will give you the best clues. Also check out these forum entries:
Symptoms related to MTU
Problems with Chrome and Firefox since 9.508, when used with Transparent SSO
In reply to DouglasFoster:
Thanks for the reply. They dont really relate to the issue im having. Both internet links work fine, its more of a point how and where can I prove 100% that the rule is working. I think some stuff on this rule isnt working as it should but I need to know where it will tell me in the logs what interface the traffic is going out of.
For example, I could visit a website and search the logs via SSH but I see the traffic but no where can i see any flag that tells me what interface this is going out of.
In reply to DuncanNewell:
you can watch the full firewall log via ssh. -> tail f /var/log/packetfilter.logThere you will find your answer.
e.g.2018:06:13-08:56:20 firewallv8-2 ulogd: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth2.124" outitf="ppp0"
Here you can see the in interface(initf) and out interface(outitf)
"I'm using a "Multipath" rule to send certain domains out of a certain interface."
Interesting. Please show a picture of the Edit of this rule.
Cheers - Bob
In reply to BAlfson:
By default all traffic lets say goes out of one interface, and we use the multipath to send certain traffic via another interface.
The "Destination" been a group of domain names
So, "CloudProxy ..." is a Network Group - that should do what you want! Are all of the members of that group DNS Groups and not DNS Hosts?
Yes they are DNS group. Problem seems to be related to some HTTPS domains, but im still trying to work out why.