Reporting and Logging: we need a big improvement in these 2 fields

Hi Luk,

agree entirely.

I have been trying to debug an IoT device, all logviewer rules show traffic being handled successfully, but it doesn't work as a result debugging is a bit hit and miss.

Ian

The list is not finished yet. I had to create the post otherwise the timeout could occur:

• Mail usage counts: Now it is not possible to know the number of email processed by XG. You have source, destination, and recipient and so on, but a total number of processed email is needed.
• Number of total blocked email: same as above. The report is not available.
• Wi-Fi: number of bandwidth consumed by each AP and total bandwidth consumed by all APs. For example, you have AP in a branch office behind the red and you want to know which AP is under pressure because it is tool small based on model/number of connections. This report is missing.
• Remote VPN: please put number of connections and usage in the same page. Now you need to move between connection and data transfer.
• Web Server: total number of connections and bytes transferred per Server. If the server where many domains are published, we are not able to understand how much traffic the web server is receiving, sending, attacks and so on.

I want to stop here as the reading becomes to long. Now you can understand why I say that reporting and logging is bad on current XG.

Ian,

I had the issue with the proxy mode for Skype and trust me, you do not understand nothing what is blocking from logging!

Hello luk,

I could only fully agree with your points. On the one hand Sophos implemented nice features (DPI, SSL / TLS, etc.), but logging and reporting is a hell.

Regards

alda

Just to add a real case scenario:

I am using XG v18 with HTTPS enabled. Even with the v17+ I had issue to download files via Skype Application. I am able to send files to my contact but not to download. Few weeks ago I fixed the issue by looking at another competitor forum to understand which domains to put into the exception list because from logging, you are completely blind. After creating the proper web exception list, it worked for few weeks and now download does not work anymore.

I am sure that another domain is missing from the exception list. So let's start as a normal user to find the issue:

• I opened the log viewer and nothing in the IPS, Application filter and into Web or TLS logs.

So I proceed as an advanced user:

• I enabled the debug on awarrenhttp service and nothing comes out that is helpful.
• Drop-packet-capture is completely empty.

Then ad expert:

• tcpdump src 192.168.0.8 and port 443 | grep -v amazon

I found several IP in the list and then I used the whois ip to better understand about the IP, since the DNS is not able to resolve them. After adding 3 Ip (maybe only one was the correct one), I was able to download the file sent yesterday by my colleague.

Is this possible? Is the logging not worst enough from users and advanced users?

Also:

I would like to which IP I added to the web exception list so I went to Admin Log from Log viewer and it only says:

"Web Filter Exception 'HTTPS URL Exceptions' was updated by 'admin' from '192.168.0.8' using 'GUI'"

Ok, but which are the modification that "admin" performed on the object?

A mistery!

Let me upload another case scenario. My Onedrive is not getting sync on my mac.

Here some configuration:

console> show http_proxy
<ENTER> no further known parameters  
console> show http_proxy
HTTP add_via_header: on
HTTP core_dump: off
HTTP relay_invalid_http_traffic: on
HTTP connect_timeout: 60
HTTP tunnel_timeout: 300
HTTP client_timeout: 60
HTTP response_timeout: 60
HTTP proxy_tlsv1_0: on
HTTP captive_portal_tlsv1_0: on
HTTP captive_portal_x_frame_options: off
HTTP block_proxy_loop: off
HTTP disable_tls_url_categories: off

I am using Proxy mode on v18 (a bug on DPI does not allow me to use DPI). Here the steps to find the issue but the logs do not tell why the domain is blocked.

drop-packet-capture is empty. Firewall logs are green and everything is green inside web filtering and:

some packet capture. And going ahead:

I found from awarrenhttp_access.log the following:

1583135089.494173940 [ 9607/0x7fe7f42f1400] fwid=1 fwflag="VS" iap=12 aap=4 conn_id=995654848 id="0001" name="http access" action="pass" method="<unknown>" srcip="192.168.0.8" dstip="40.67.254.36" user="" statuscode=200 cached=0 trxlen=3379 rxlen=11470 url="skydrive.wns.windows.com/" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=11 cattime=56924 avscantime=0 fullreqtime=2684425629 ua="" activity="" av_transaction_id="" categoryname="Skype web exception list" category="1026,29" app_id=0 app_name="None" app_cat="None"  exceptions=""
1583135091.444673254 [ 9607/0x7fe7f42f1400] fwid=7 fwflag="VS" iap=12 aap=4 conn_id=91327936 id="0001" name="http access" action="pass" method="POST" srcip="192.168.0.8" dstip="13.107.136.9" user="lferrara" statuscode=200 cached=0 trxlen=2237 rxlen=2409 url="mydomain-my.sharepoint.com/.../Authenticate referer="" type="application/json" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=63919 cattime=465 avscantime=2162 fullreqtime=212511 ua="Microsoft SkyDriveSync 19.232.1124.0008 ship; Mac OS X 10.15.3" activity="" av_transaction_id="" categoryname="Skip HTTPS Checks Web Categorh" category="1025,1026,29" app_id=1500 app_name="Sharepoint" app_cat="General Business"  exceptions=""

The logs are not saying why the https://skydrive.wns.windows.com/ and mydomain-my.sharepoint.com/personal/luciano_ferrara_mydomain_it are blocked. These 2 domains were responsible for onedrive to not sync.

After adding them inside the web exception list.From the screenshot above, you can see that onedrive is now syncronized. From the screenshot below, I searched the domain inside all files inside /log folder and this is the result:

Very HELPFUL! So tell me again that XG logging is clean and understandable! Competition points out why the domains are blocked on UI, on XG you do not even log inside advanced shell why

the domains were blocked!

Hi folks,

last couple of days i have been trying to use logging to debug some issues I thought I had with SD-WAN and now with an IoT device.

The SD-WAN  policies would pass traffic for some ports in the firewall but not others. Nothing I could locate in the logs provided any useful debugging material, so I asked the forums and received lots of answers that I had the configuration wrong. So after a restore to do additional testing nothing worked with SD-WAN policies anymore but nothing in the logs helped. PCAP indicated there wasn't a NAT rule by showing NAT = 0 but that could also be the default NAT rule which is or was labelled 0.

During EAP I had an issue with one of my IoT devices and with Michael D's help we debugged the issue. Now having performed a restore from the 26th which is actually the last day this IoT controller talked to the world according to the controller, according to XG logs there were transactions all the time. I have spent the last two hours trying to determine why the controller is not online. The logs are no help, they show 443 as being used. I added 443 to the firewall rule and the controller failed, removed allocation filter, IPS no progress, logs still showing connections. Added allow al to thawed policy, still no functioning connection.

Added the application allow all and IPS, back and removed https from the rule. The controller is on-line again. Conclusion is the device is using port 443 but not correctly as https. Next step is how to improve the network security for the controller, at the moment it has its own rule using DPI.

Logs not much use.

Ian

A little issue with the SD-WAN video, it shows a troubleshooting tab, which I could not find on my V18GA.

Another area requiring urgent attention is Intrusion Protection, I will not repeat what I posted during EAP in detail. The IP tab shows activity, when you click on one of the tabs you are shown a report with no details.

Ian

Let me ad some more.

I disabled the IoT device using the clientless active/not active function. Then with the re-enabled connection, still nothing the logviewer.

I found what was wrong with the IoT device but not using the logviewer but the connection list which showed a port being used. Once I applied a refined firewall rule with the missing service and https the device works correctly.

The port went missing in one of my restores.

Ian

Let me add another real scenario happened today.

Customer was looking to replace the appliance built-in certificate with a new one bought from a trusted, external CA.

Customer generated the CSR on XG and uploaded the request to the external CA, then he received the CA and the corresponding certificate. Customer than uploaded the CA in the corresponding CA section and the Certificate in the Certificate section.

All good, certificate CA issuer green and everything Ok. Here the pain:

Customer went to SSL VPN settings to change the Certificate, selected the new Certificate, apply and voilà che SSL VPN is stopping and then SSLVPN service is dead.

The reason? Who knows? Nothing in the UI as expected. The only way to get a proper debug was to go in advanced shell and read the sslvpn.log file. The private key was incorrect or missing.

This was not true and the problem at the end was another. The intermediate CA was missing but nothing in the log. Just from experience that if you do not upload all the CA chain, the certificate is invalid but XG does not say nothing about, it should even prevent the Certificate to upload completely, instead it did.

I have another example of adding an extra ALIAS IP failed too, but I have to collect the corresponding logs. I will do.