Sophos Central Admin: Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday February 1, 2020 starting at 13:00 (UTC). For more info please see KBA 133402.
We'd love to hear about it! Click here to go to the product suggestion community
Quick question: In the new v18-firmware I don't see the ability to send the SSL/TLS Inspection logs to another device via syslog,
It'd be really helpful with troubleshooting if there would be a way to send these logs to a remote machine for processing.
Is there any chance or ETA on when the syslog-options will be extended to include this?
System Services > Log settings.
In reply to Michael Dunn:
Which of all checkboxes is used by the new SSL/TLS Inspection feature?
If I check the appliance log viewer, I see there are log messages containing "log_type="SSL" log_component="SSL"". I would expect to be able to ship these via Syslog to my receiver, but even with all checkboxes checked these messages never show up.
In reply to FrankBarmentlo:
In Log Viewer it is SSL/TLS Inspection.
In syslog it is SSL/TLS Filter. Right beside the Web Filter.
I just confirmed on my box.
Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=5 user_name="" user_gp="" iap=1 category="Information Technology" category_type="Acceptable" url="https://www.example.com/" contenttype="text/html" override_token="" httpresponsecode="" src_ip=10.145.9.146 dst_ip=18.104.22.168 protocol="TCP" src_port=48132 dst_port=443 sent_bytes=79 recv_bytes=1578 domain=www.example.com exceptions= activityname="" reason="" user_agent="curl/7.58.0" status_code="200" transactionid=5df1925d-c83e-4743-ac76-f0826d89eb24 referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=0 application="" app_is_cloud=0 override_name="" override_authorizer="" used_quota="0"
Jan 13 23:00:34 _gateway device="SFW" date=2020-01-13 time=23:00:34 timezone="CET" device_name="SF01V" device_id=SFDemo-5e0e743 log_id=148531619004 log_type="SSL" log_component="SSL" log_subtype="Decrypt" severity=Information user_name="" src_ip=10.145.9.146 status="" message="" timestamp=1578952834 connectionname="" dst_ip=22.214.171.124 user_gp="" src_country=R1 dst_country=USA src_port=48132 dst_port=443 app_name="" con_id=0 rule_id=3 profile_id=1 rule_name=aaa profile_name="Maximum compatibility" bitmask=Valid key_type=KEY_TYPE__RSA fingerprint="7b:b6:98:38:69:70:36:3d:29:19:cc:57:72:84:69:84:ff:d4:a8:89" resumed=0 cert_chain_served=TRUE cipher_suite=TLS_AES_256_GCM_SHA384 sni=www.example.com tls_version=TLS1.3 reason= exceptions="" key_type=KEY_TYPE__RSA key_param="std_event.tlsdata.server_cert_private_key_type_param" category=Information Technology
this is the problem that there is not, but at least in my XG210 with EAP3 nothing like that is available. Most likely do you have a new version of EAP that already contains this option?
In reply to alda:
It has been there for a while. Perhaps a problem with upgrade vs new?
I was just testing a 17.5 -> latest (unreleased) upgrade and it appears.
What is the upgrade history of your box, including any rollbacks.
It's also not showing in my box.
On v18 EAP 3. Fresh install.
if I remember well the clean installation of v17.5 MR8, next backup restore - EAP1 - EAP1Refresh - EAP2 - EAP3 and certainly not any rollback. Could I somehow verify how I installed the updates? UTM v9 has this function in CLI, I don't know if XG has a similar function too?
Thanks. Although I could not reproduce it is now tracked internally as a bug and will be investigated.
Thanks for all the replies and information!
For my box there is no upgrade path from v17.x:
I did a clean install using the SW-18.0.0_EAP1-102.iso on a newly created VM, and installed all updates that my box received from there. I have had SFOS 18.0.0 EAP2/ SFOS 18.0.0 EAP3 installed both, but neither have this option available/
Hence the question if it ever will be added: I'd understand not having the option could be a bug from the upgrading-proces from v17.x tot the new version, but on a clean install it felt a bit odd not to have all functionality available.
I have two test installations of XG v18 EAP3-Refresh1.
The first is HW appliance XG210 installed by MR8 - EAP1 - EAP1-Refresh1 - EAP2 -EAP3 - EAP3-Refresh1 - this installation does not offer SSL / TLS filter in the Content filtering section.
The second is a virtual vmware appliance installed by EAP3 - EAP3-Refresh1 - this installation offers SSL / TLS filter in the Content filtering section.
Does anyone have a similar experience with SSL / TLS filter in the Content filtering section?
Same thing here,
On my SW appliance - It's not showing SSL/TLS Filter in the log settings.
While on my KVM VM It's showing as expected.
Both are running EAP 3 Refresh-1.
In reply to Prism:
As far as I understand it was added in EAP2 but there is a missing upgrade script.
Any box that was installed with 17.5 or 18.0 EAP1 and then upgraded, will not have the checkbox.
Any box that was installed with 18.0 EAP2 or later and then upgraded, will have the checkbox.
Regardless of the above, any box that upgrades to 18.0 GA, will have the checkbox, no matter where they came from.
If you are missing the checkbox and really need it before GA, you'll have to backup, install a fresh copy of EAP3-refresh, and restore.
Actually, if you are missing the checkbox and really need it, you can PM me and I will give you a command to run that will fix it.
Yes I have VM and i also don't see that option.
In reply to VishvasChitale:
checked my settings after the upgrade to EAP3 refresh 1 and the missing boxes are now available.