This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMPTrap VPN SSL real public client ip address

Hello,

We are monitoring VPNSSL for security purpose with snmptraps.

It's working, but in the text send in the trap by the sophos firewall, we don't have the real public client ip address.

Here is an example :

20230308.100302 UDP: [XXX.XXX.XXX.9]:14615->[XXX.XXX.XXX.253]:162
DISMAN-EXPRESSION-MIB::sysUpTimeInstance = 179275369
SNMPv2-MIB::snmpTrapOID.0 = SFOS-FIREWALL-MIB::sfosNotification
SFOS-FIREWALL-MIB::sfosDeviceType.0 = XGS4300_AM01_SFOS
SFOS-FIREWALL-MIB::sfosDeviceFWVersion.0 = 19.0.1 MR-1-Build365
SFOS-FIREWALL-MIB::sfosDeviceAppKey.0 = XXXXXXXXXXXXXXXX
SFOS-FIREWALL-MIB::sfosDeviceName.0 = xxxx.xxxxx.xx
SFOS-FIREWALL-MIB::sfosCurrentDate.0 = Wed Mar  8 10:03:02 2023
SFOS-FIREWALL-MIB::sfosTrapMessage.0 = Alert_Id : 17825 Message : SSL VPN User 'username@domain.local' disconnected

It would be nice to have it in the message to log it and to check if there is any abnormal behavior of our users.
Furthermore, I've been unable to find this information with the GUI.
I had to log in my firewall with SSH and read the /log/ssslvpn.log file, which is not fast at all.

At least, we must have this information somewhere in the GUI, and even better in the snmp traps.

Regard.
Christophe.

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 1 year ago +1 verified

Hello Christophe F , Thank you for reaching out to the community, this is a known issue - NC-107481 , which is fixed in v19.0.2 MR-2, v19.5.1 MR-1, v19.5.3 MR-3 and v20.0.0 EAP .

Parents

+1 Vivek Jagad over 1 year ago

Hello Christophe F ,

Thank you for reaching out to the community, this is a known issue - NC-107481, which is fixed in v19.0.2 MR-2, v19.5.1 MR-1, v19.5.3 MR-3 and v20.0.0 EAP.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Christophe F over 1 year ago in reply to Vivek Jagad

Hello, we have upgraded our firewall to the firmware XGS4300 (SFOS 19.5.1 MR-1-Build278), but the snmptraps are not showing the real Ip address.

And in the logs, the SRC IP is the lan IP Address.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vishal_R over 1 year ago in reply to Christophe F

Hi Christophe F Are you able to see the public SRC IP in the XG GUI - Live log viewer logs or not after upgrading to V19.5.1 MR-1? If it is showing the source IP then the above-mentioned ID is fixed and due to that it is reflecting the source IP details. For SNMP trap IP details that are not reflecting correctly as per your observations you may log a support case to check it further and to confirm more. It may have a high chance, the SNMP trap was having the same working from the beginning. If from the beginning only it is giving leased IP in trap alert in place of public source IP then it may possible that is by design but that can be checked via a Support case.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vishal_R over 1 year ago in reply to Christophe F

Hi Christophe F Are you able to see the public SRC IP in the XG GUI - Live log viewer logs or not after upgrading to V19.5.1 MR-1? If it is showing the source IP then the above-mentioned ID is fixed and due to that it is reflecting the source IP details. For SNMP trap IP details that are not reflecting correctly as per your observations you may log a support case to check it further and to confirm more. It may have a high chance, the SNMP trap was having the same working from the beginning. If from the beginning only it is giving leased IP in trap alert in place of public source IP then it may possible that is by design but that can be checked via a Support case.

Regards,

Vishal Ranpariya
Technical Account Manager | Sophos Technical Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Christophe F over 1 year ago in reply to Vishal_R

no in the live logs, we can see the internal ip address as SRC IP on the line " SSL VPN User 'xxxx@xxxxx' connected".

But, yes I can see the real SRC IP on the line "User xxx@xxxx authenticated successfully to login to SSLVPN through AD authentication mechanism"
Cancel
Vote Up 0 Vote Down

Cancel