Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 2992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic flow troubleshooting - log file investigation

Rob Pelletier1

Haven't installed or used too many Sophos devices, but I have some out there.

Recently had a client report that all software updates have been failing since their Sophos SG115 (UTM9) was installed.

Months ago - nobody thought to let me know.

This unit has a bunch of security things installed:   Web Filter, IPS, etc etc

Been looking through the support site, and I don't see anything that attempts to instruct on using the log files to determine what security module is causing this.   How would a guy interpret them?   There are a bunch of logs - which to use?  How to read them?   If I have to go through every individual log file, is there an ideal order to inspect them in?

When I'm really frustrated, I think this product, as functional and diverse as it is, is not really well-designed.   What good is it that all these modules and features are there if there's no way to manage or troubleshoot it?

Starting to realize, however, that it may not be so much an issue of poor design as it is poor documentation.

Has anyone seen an article that walks someone through the process of searching for what might be blocking a particular type of traffic?

 

Thanks



This thread was automatically locked due to age.
  • 0

    Regardless of the product, when troubleshooting a problem, there is no good substitute for expert knowledge.   If UTM is new to both you and the client, then one of you should be paying for Sophos Support.

    The next step in troubleshooting is to define the problem.    What network traffic will "software updates" generate?   Once you know that, you know where you are looking for traffic disruptions.

    For most automatic updates, the traffic flows over https, so web filter is the first place to look.   However, UTM comes with a factory-supplied exceptions to cover Windows Updates, Adobe Updates, and some other common ones.   Has someone disabled these exceptions?  Which web filtering mode is in use?   Have your turned on Country Blocking?   Your problem is uncommon.

    Other places to look:

    • Firewall log sees traffic NOT handled by web filter, such as traffic on non-standard ports.   Default-block packets should be logged.   You can create new rules to add logging for allowed traffic.   The firewall live log is abbreviated for performance reasons.   View the full log for additional data.
    • Intrusion Protection System can block suspicious web replies.   These will also show up in the Web Filter logs as timeouts (with a later timestamp than the IPS log)

    UTM logging is in syslog format, so it also assumes that you have an SIEM tool to ingest syslog files and analyze them. 

    This forum has excellent supplements for what is missing from the documentation.   Read the Wiki section.   Then look at the articles at the top of each sub-topic forum.   Most of them have entries that the moderator has pinned to the top because they provide useful reference material.   

    All of this can make you more self-sufficient over time, but we cannot provide a quick fix to a problem caused by running a mission-critical complex device without vendor support.

  • 0

    Hi Rob and welcome to the UTM Community!

    Actually, there's a ton of stuff documented, and, like any product that's new to us, it takes awhile to figure out where to look for what.  We all agree that the depth of documentation doesn't rival Cisco's.

    Please be more specific when you ask for input from others here.  What exact version - 9.506?  Which software updates for what equipment?  Are these software updates supposed to be automatic or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Of course you're right - I didn't give much detail.  For a non-specific question, more about finding useful documentation than troubleshooting a specific problem, I figured it wasn't as necessary...

    The device is a SG115 UTM.   FW is currently at  9.510-5

     

    The software updates were just, well updates:   Microsoft Office, for example.   The special software packages they use for their equipment (they do hearing testing, and fit clients for hearing aids).

    All of the updates fail - depending on the way the software was designed, it either just kept trying forever with no updating being done, or it gave some "updates failed" message.

    When the first SG115 failed (just received the RMA replacement), I swapped in some cheap but functional small business router, and when I had it in place, updates started working normally again.

    To be honest, I hadn't intended for this posting to be an appeal to help with my specific issue.   I was kind of hoping maybe someone might direct me to a doc or two on becoming familiar with the log file organization, and general tips on where or how to look when I wanted to troubleshoot a specific issue.

    I'll keep watching here for more guidance, check out the wiki, look for other articles.   I haven't yet found anything that attempts to familiarize one with the complex log files - at least an overview that a person can use to get started.

    And yes, there is a support agreement on the device - I can contact Sophos for assistance, but even the best tech support can be inconvenient at times.    I opened a ticket last week, waited for 12 hours for them to email me back and suggest I call in.     12 hours for that?   They could have had a bot do that in minutes!

    Lesson learned - no more opening a case by email!

     

    Thanks for your answers - your assistance is appreciated.

  • 0 in reply to Rob Pelletier1

    My Rulz thread is one of the links found on my Linkz thread.  I haven't maintained the Linkz thread in awhile, but Log names and service locations will interest you.  You will also want to Google:

    site:community.sophos.com/kb UTM log file

    The best way to open a Support ticket for a UTM is https://myutm.sophos.com/.

    I agree with Doug that you probably need to be looking in the Web Filtering log file to solve the updating problem.  My guess is that you have Web Filtering in Transparent mode and that you are scanning HTTPS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML