Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I am noticing a strange behavior in v18 and the data counting in the firewall rules. I have some incoming rules (from Internet to DMZ) that are coupled with corresponding DNAT rules. The DMZ contains webservers, so they send a lot more data than they receive. However, the counters in the rules are the other way around: They show a lot more incoming data than outgoing data.
Unless I am completely misinterpreting these counters (which I would like to rule out), it appears to me these counters have been reversed, e.g. incoming is actually showing outgoing, and outgoing is showing incoming.
In reply to cryptochrome:
Would recommend to check Central Reporting.
Central Reporting is waiting for Feedback from the community.
You can simply activate it in Central (EAP).
In reply to LuCar Toni:
Well, I completely forgot about this.
Will be checking it out right now.
That looks interesting. Does this require additional licensing? Or is it part of the XG license?
Licensing Collecting, storing, and aggregating firewall logs naturally requires compute and storage resources in the data platform. For the EAP, we are providing administrators with a rolling seven days of log retention and reporting data per firewall, at no cost. Additional details will be made available later regarding the licensing options for CFR, which will include both free and premium licensed capabilities.
As mentioned, they are waiting for Feedback about their new product in Central (Called CFR).
There are some more option for reporting.
I am using CFR and it does not add useful reporting at all. Sorry Luca but XG reporting is very bad. Please consider me to improve the reporting. Reporting and logging have the same problem: understand what is happening is very time consuming! Utm 9 has better reporting far away. I open privately for discussion.
In reply to lferrara:
I'm going to bookmark this thread so when I come to discuss the traffic counters with a customer I have some reference material to work through rather than using intuition. Thanks for all the helpful comments.
Thank you for sharing your feedback regarding this topic. I'll forward these over to the Product Team for their consideration.
Thanks LuCar Toni for your explanation and recommendations.
how to unblocked inbound connection that do not matched? pls help me.. thank you
In reply to Clara Tarris:
Please start a new thread on this subject as it is not related to this thread.
Reporting and Logging shall have higher priorities now.
XG v18 has the features to be used in production environment (Kudos to all Sophos team) but now it is time to discuss and improve/redesign logging and reporting).
can we have an update in this topic?
I really aware of this issue as reporting is one way to really understand what is going on specially now that with CoronaVirus, attacks are increasing and traffic must be properly logged and observed.