Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troubles with tracking activities of a user

Dear Community,

i’m forced with tracking some users behavior, especially if and which private sites they access from their company PC (i.e. youtube, etc.)

I stumbled upon some problems though.

My general understanding is, that the first thing to look at is the „Log Viewer/Web Filter“. When i access that i see all the entries, but the „username“ field is not populated. I do see all users though when i look at "Authentication - Users" with their username, so the firewall knows them.

I looked around for a solution and it was mentioned, that the „Match known users“ box need to be ticked for usernames to appear in the Logviewer, so i did that at the last „default communication“ rule under „Rules and policies“, which allows everything that is not blocked by another rule before.

To my understanding this „Match known users“ uses the „Any“ group (which is already ticked by default in the „User or groups“ list), but as soon as i save that change, my own user account got blocked from accessing any website in the browser, which probably means i would block the access for every user.

My question here: Does „any“ not work in that scenario? When i click on „Add new item“ i see all user accounts and if remove the checkbox from „Any“ here, i can select users individually. Is that the way to go here, to select every user manually? Or should "Any" work and i did something wrong before?


An additional question about the Logviewer: When i select the „Web filter“ and search i.e. for youtube i get results with Youtube in the referrer column and Youtube related links (like ytimg.com or googlevideo.com/videoplayback) in the URL column, but i not see the real URL the user has visited in the browser. Is there any way/another filter where i can access that information?


It was mentioned as well, that web activities are also visible under „Authentication“ - „Users“ - „View usage“, but to my understanding this shows only some general informations like Upload and Download traffic, right? I cannot get additional informations like visited URL’s here?


Thanks a lot for your help
Thomas



This thread was automatically locked due to age.
Parents Reply Children
  • Please post LAN-WAN firewall rule/s configured till now

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • "Any" means "Any authenticated user".  That means the the XG must associate the IP with some user.

    You are testing using your laptop.  And it does not work when you select Any.

    If you go to Live users and search your your laptop's ip address.  I suspect you wont find a user there.

    That means your laptop is accessing without an authenticated user.  I don't know if you intend to or not, I don't know what authentication mechanism you are using.

    In any case, there is no need for the firewall rule to Match known users.  Whether or not the firewall rule matches does not impact whether the user appears in the Web Filter log.  Again, given that the user does not appear, I think they are accessing unauthenticated.


    Now you could go "OMG I have a huge problem here because I thought everyone is authenticated and they are not" and go and figure out what auth method you are using and why it is or is not working.

    Alternately you could shrug and say "I really need to know what this guy is doing, I don't care about auth" and look it up by IP address instead.