Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troubles with tracking activities of a user

Dear Community,

i’m forced with tracking some users behavior, especially if and which private sites they access from their company PC (i.e. youtube, etc.)

I stumbled upon some problems though.

My general understanding is, that the first thing to look at is the „Log Viewer/Web Filter“. When i access that i see all the entries, but the „username“ field is not populated. I do see all users though when i look at "Authentication - Users" with their username, so the firewall knows them.

I looked around for a solution and it was mentioned, that the „Match known users“ box need to be ticked for usernames to appear in the Logviewer, so i did that at the last „default communication“ rule under „Rules and policies“, which allows everything that is not blocked by another rule before.

To my understanding this „Match known users“ uses the „Any“ group (which is already ticked by default in the „User or groups“ list), but as soon as i save that change, my own user account got blocked from accessing any website in the browser, which probably means i would block the access for every user.

My question here: Does „any“ not work in that scenario? When i click on „Add new item“ i see all user accounts and if remove the checkbox from „Any“ here, i can select users individually. Is that the way to go here, to select every user manually? Or should "Any" work and i did something wrong before?


An additional question about the Logviewer: When i select the „Web filter“ and search i.e. for youtube i get results with Youtube in the referrer column and Youtube related links (like ytimg.com or googlevideo.com/videoplayback) in the URL column, but i not see the real URL the user has visited in the browser. Is there any way/another filter where i can access that information?


It was mentioned as well, that web activities are also visible under „Authentication“ - „Users“ - „View usage“, but to my understanding this shows only some general informations like Upload and Download traffic, right? I cannot get additional informations like visited URL’s here?


Thanks a lot for your help
Thomas



This thread was automatically locked due to age.
Parents
  • Hello,

    Thanks for reaching out to Sophos Community.

    Could you confirm if you could see the user/s under > Current Activities > Live users? and Log Viewer > Authentication (Please check for Status if Successful, Username, IP), Could you also verify if your authentication server is at the top list of Authentication > Servers

    May you also share your Firewall and Web Filter rule for this. Thank you

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Dear Raphael,

    thank you for your fast response.

    Under "Current Activities - Live Users" i can see users with their username, but i just noticed that i only see those users who are connected via VPN (as they all share the same IP address range).

    Under "Logviewer - Authentication" i can see a lot of users, most of them from VPN due to the IP, but also some with local network IP address as they logon to "My Account" (probably for checking quarantined emails). Those have a successful status and have an IP address.

    What would you like to see? A screenshot from the final firewall rule, that allows everything not blocked before ?

    Thanks

    Thomas

  • Hello, 

    Thanks for the additional details. Could you verify if you have followed steps outlined on this doc guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/AD/AuthenticationConfigureActiveDirectory/index.html#optional-configure-firewall-rule-to-allow-internet-access

    Also, are the VPN users authenticating local or via AD server? Could you please also verify priority of authentication method under Authentication > Services: 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Dear Raphael,

    in all "Authentication-Services" entries (like Firewall , User Portal, VPN Portal, etc.) is "local" the last entry after the different Active Directory servers we use, so the order should be correct.

    The link you posted points to the "optional" part, which describes how to setup groups imported from AD for "match known users". This was actually my question, if i can use the pre-selected "Any" or if i need to use another method like selecting all users manually or in this example imported groups.

    So according to that link i cannot use "Any" here?

    Best

    Thomas

  • Hello Thomas,

    You should be able to use the "Any". But if you want to allow/deny specific known groups or users only (more specific), then you may use specific user/groups in place of Any.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Der Raphael,

    thank you for your answer, but as i said, "Any" does not work, at least not with that pre-selected "any". That's why i asked in the first place what the correct steps are to get "any" to work.

    Best

    Thomas

  • Please post LAN-WAN firewall rule/s configured till now

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • "Any" means "Any authenticated user".  That means the the XG must associate the IP with some user.

    You are testing using your laptop.  And it does not work when you select Any.

    If you go to Live users and search your your laptop's ip address.  I suspect you wont find a user there.

    That means your laptop is accessing without an authenticated user.  I don't know if you intend to or not, I don't know what authentication mechanism you are using.

    In any case, there is no need for the firewall rule to Match known users.  Whether or not the firewall rule matches does not impact whether the user appears in the Web Filter log.  Again, given that the user does not appear, I think they are accessing unauthenticated.


    Now you could go "OMG I have a huge problem here because I thought everyone is authenticated and they are not" and go and figure out what auth method you are using and why it is or is not working.

    Alternately you could shrug and say "I really need to know what this guy is doing, I don't care about auth" and look it up by IP address instead.

Reply
  • "Any" means "Any authenticated user".  That means the the XG must associate the IP with some user.

    You are testing using your laptop.  And it does not work when you select Any.

    If you go to Live users and search your your laptop's ip address.  I suspect you wont find a user there.

    That means your laptop is accessing without an authenticated user.  I don't know if you intend to or not, I don't know what authentication mechanism you are using.

    In any case, there is no need for the firewall rule to Match known users.  Whether or not the firewall rule matches does not impact whether the user appears in the Web Filter log.  Again, given that the user does not appear, I think they are accessing unauthenticated.


    Now you could go "OMG I have a huge problem here because I thought everyone is authenticated and they are not" and go and figure out what auth method you are using and why it is or is not working.

    Alternately you could shrug and say "I really need to know what this guy is doing, I don't care about auth" and look it up by IP address instead.

Children
No Data