This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to get detailed inbound/outbound traffic logs?

I can find where to get session info on SSL VPN connections, but I can't find a log showing detailed SSL VPN traffic. Any ideas?



This thread was automatically locked due to age.
  • Hi  

    You can use Daily Executive reports which also includes information about VPN users and usage. You can configure it at Logging & Reporting > Executive Report > Configuration. Alternatively, you can see reports at Logging & Reporting > Remote Access. And if you want to see detailed SSL VPN logs including connections being established, please check for SSL VPN logs in Logging & Reporting > View Log Files > Today's Log Files or Logging & Reporting > View Log Files > Archived Log Files.

    Regards

    Jaydeep

  • Hi Ryan,

    If Jaydeep's answer isn't what you were looking for, share with us the motivation for asking your question - what do you want to know?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob/Jaydeep,

     

    Sorry, my question was posted on behalf of someone else and admittedly I rushed it. Basically I'd like to know whether SSL VPN-specific traffic is logged anywhere for an event such as:

     

    "Ryan sent traffic outbound to address 1.1.1.1 at 5:13PM on September 18th through the VPN tunnel."

  • Hi  

    No, it would not be possible for UTM to log the traffic to these details. It would consume the logs disk and the resource in only logging this traffic details which would be counterproductive to main purpose of a firewall.

    However, you can use TCPDUMP in SSH of UTM to check live traffic details. Please note that UTM can not store that for a later-viewing purpose. Please refer to this KBA Sophos UTM: How to capture packets and download the Packet Capture for more details on how to capture live traffic in UTM 9.

    Regards

    Jaydeep

  • Thanks Jaydeep,

     

    Your reply makes a lot of sense, as what I was asking for does seem a little outside of the responsibilities of a router. I suppose there is dedicated hardware appliances that are meant gathering information like this that we could position between our router and the public internet. Perhaps something like a Unifi Security Gateway device? Does that make sense?

  • I'm still not clear, Ryan.  In your example, is 1.1.1.1 the OpenVPN server that someone connected to from behind the UTM, or is it an internal IP accessed by an SSL VPN client that connected to the UTM, or ???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA