Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 2178 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log IP addresses trying to connect to WAN port of Sophos XG.

shando1987

Hello community. I'd like to ask is there a way to log all IP addresses trying to scan or access WAN port of the firewall to external syslog server? Is there a good free syslog server that can be used with Sophos XG?



This thread was automatically locked due to age.
Parents
  • 0

    Configure > System Settings > Log Settings lets you establish remote syslog servers: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html . And it appears to be the mechanism by which the firewall reports to Sophos Central.

    In the local Firewall logs remote hosts probing the firewall generally show up as Log Comp: Appliance, and Log Subtype: Denied, which you should be able to see at the syslog server.

    You don't even have to setup your own syslog server if you use Sophos Central. (I use it for logging, not control, since the XGS 87 doesn't have on-device reporting.) In that case, you can go to Firewall Management > Report Generator (in Sophos Central) and generate a report with Component = Appliance Access and then click on the little spreadsheet+ icon and modify the text to show Src IP and Dest Port and you can then download this as a CSV.

    Looking at the last hour this way, I can see that an IP address in atwar-game.com has hit port 65002 about 70 times. Actually, multiple machines are hitting high ports like 65002 and 65004, for whatever reason. (Sometimes I think such hits can come from my side closing a port before the far end gets to respond, but as far as I know I don't connect to atwar-game.com so I think it's a probe.)

    I also see that my work laptop -- which I have isolated in a separate, internal SSID -- has hit port 137 over 20 times. So the log does include internal Device Access issues, but that's easy to filter out of the CSV.

Reply
  • 0

    Configure > System Settings > Log Settings lets you establish remote syslog servers: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html . And it appears to be the mechanism by which the firewall reports to Sophos Central.

    In the local Firewall logs remote hosts probing the firewall generally show up as Log Comp: Appliance, and Log Subtype: Denied, which you should be able to see at the syslog server.

    You don't even have to setup your own syslog server if you use Sophos Central. (I use it for logging, not control, since the XGS 87 doesn't have on-device reporting.) In that case, you can go to Firewall Management > Report Generator (in Sophos Central) and generate a report with Component = Appliance Access and then click on the little spreadsheet+ icon and modify the text to show Src IP and Dest Port and you can then download this as a CSV.

    Looking at the last hour this way, I can see that an IP address in atwar-game.com has hit port 65002 about 70 times. Actually, multiple machines are hitting high ports like 65002 and 65004, for whatever reason. (Sometimes I think such hits can come from my side closing a port before the far end gets to respond, but as far as I know I don't connect to atwar-game.com so I think it's a probe.)

    I also see that my work laptop -- which I have isolated in a separate, internal SSID -- has hit port 137 over 20 times. So the log does include internal Device Access issues, but that's easy to filter out of the CSV.

Children
No Data
Unfiltered HTML