Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 42 subscribers
  • Views 2615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V18 not logging blocked HTTP/HTTPS connections

Mysolution Systeembeheer

Hi,

we've got a brand new virtual XG 18 running in Azure. We've set up a firewall rule to restrict our internal servers to which internet servers they can communicate with via HTTP/HTTPS:

The firewall rule itself works fine, but when I check the logs, nothing is being shown as dropped or denied. I need to be able to see which URL's the servers are trying to talk to for troubleshooting. We had a pretty featureless Azure Firewall before which would log it perfectly like this when a server tried to access an URL which wasn't in the firewall rule:

{"msg":"HTTP  request from 10.4.0.5:54785 to nu.nl:80. Action: Deny. No rule matched. Proceeding with default action"}

So how do I get the XG firewall to show me this?



This thread was automatically locked due to age.
Parents
  • 0

    Create a deny from LAN to WAN before the last firewall rule.

    Regards

  • 0 in reply to lferrara

    Hi, thanks for your reply.

     

    I've added the extra firewall rule, and I do indeed see some traffic being blocked, but no web traffic. For instance, when I try to go to apple.com from a server I get this:

    Great!

    But no mention of this in the firewall log:

    Does anybody have an idea what is going wrong?

  • 0 in reply to Mysolution Systeembeheer

    Check web filtering log for more info on http/s traffic.

  • 0 in reply to lferrara

    Update: I do see something in firewall log (about a minute later than my actual connection attempt, but whatever):

     

    If I google this IP adres it is something used by Akamai for serving up Apple.com

    The webfilter log is empty, don't have it configured since we don't have a license for that.

    Why doesn't it show the actual URL being connected to? With all the shared hosting, Akamai's and Cloudflare's of this world, I really need the domain name, not just an IP adress most likely from some proxy or CDN in the middle).

     

  • 0 in reply to Mysolution Systeembeheer

    Mysolution Systeembeheer said:

    The webfilter log is empty, don't have it configured since we don't have a license for that.

    To be honest, you are asking about logging of blocked web traffic which is what the web protection license is for.  Several of the replies in here are specific to those with a web license.  I don't think you are going to find as many experts of people who are just using pure firewall rules to allow/block port 80/443.  To be honest I don't know what the exact behavior is in an unlicensed web system.  That end user page you got with the upside down ice cream cone - that is a an error page delivered by either the web proxy or dpi engine.

Reply
  • 0 in reply to Mysolution Systeembeheer

    Mysolution Systeembeheer said:

    The webfilter log is empty, don't have it configured since we don't have a license for that.

    To be honest, you are asking about logging of blocked web traffic which is what the web protection license is for.  Several of the replies in here are specific to those with a web license.  I don't think you are going to find as many experts of people who are just using pure firewall rules to allow/block port 80/443.  To be honest I don't know what the exact behavior is in an unlicensed web system.  That end user page you got with the upside down ice cream cone - that is a an error page delivered by either the web proxy or dpi engine.

Children
No Data
Unfiltered HTML