How do I access the reports on this model?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
How do I access the reports on this model?
Unfortunately the XG85 and XG85w do not have on appliance reporting, they only have 8GB of storage on appliance which is just not sufficient. Starting from the XG105 and up the appliance include SSD storage which will enable on appliance reporting.
Fortunately this does not mean you don't have access to reporting, it just needs to be external via the iView 2 reporting appliance. The iView appliance is available for deployment of VMware or Hyper-V Infrastructure and 100GB of storage is provided free of charge through "iView Lite" via the Trial option at https://www.sophos.com/en-us/products/next-gen-firewall/free-trial/iview.aspx
Leon Friend
Sophos Sales Engineer
Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP
I setup an iView server and my own SG105 device logs to in fine. The XG85w device shows up in the list, so I know my port forwarding/nat rules are right, but no data. I have all the check boxes checked on the XG device to send data, I tried setting the message level to daemon, kernel, etc. and still nothing shows up.
That's odd, can you check for me (some of this might sound like a recap, but lets verify it all)
- All firewall rules have logging enabled
- The log server is setup with Facility = Daemon & Severity level = Debug
- Under log settings all entries are configured to be forwarded to your log server (i.e. the iView server)
Leon Friend
Sophos Sales Engineer
Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP
Not all rules had logging enabled but most did. Now they all do.
Facility was set to Daemon but Severity was set to Information. It is now Debug
Yes, all entries are checked.
so, has anything started to appear in the iView reporting environment?
If it has not can you see the appliance sending the data?
- using the packet capture (System > Diagnostics > Packet Capture), use the PBF string "port 514", click OK and then turn the Packet capture on.
(you should see a UDP Packet leaving the appliance with a destination ip of your iView server and the destination port of 514, you should also see what physical port it is leaving on)
I am just trying to determine if the appliance is not generating the data or if it is sending it and it is not getting to the iView server
Leon Friend
Sophos Sales Engineer
Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP
so, has anything started to appear in the iView reporting environment?
If it has not can you see the appliance sending the data?
- using the packet capture (System > Diagnostics > Packet Capture), use the PBF string "port 514", click OK and then turn the Packet capture on.
(you should see a UDP Packet leaving the appliance with a destination ip of your iView server and the destination port of 514, you should also see what physical port it is leaving on)
I am just trying to determine if the appliance is not generating the data or if it is sending it and it is not getting to the iView server
Leon Friend
Sophos Sales Engineer
Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP
It does not appear that steady data is coming across. If I change a setting on the XG85w a single line will show up in the iView "Archive / Live Logs" screen. But that's it. Now traffic flow data.
Looking at the packet capture logs it appears traffic is going out. Not a ton, but steady.
Clicking all over the iView reports I am finding info from the xg unit. No where near the data flowing in from the SG unit tho. The xg does not show up on the Dashboard which is why I thought nothing was coming over. If I click around the reports and tell it to only show the XG stuff, graphs do show up. Separate issue but the info is about unless. All I see is rule number 600000 or something. that tells me nothing.
OK it sounds like the logging is being forwarded correctly, can you check that you are actually pushing traffic into the Application Classification engine and the Web Filtering engine in the policy rules.
- in each rule that is allowing traffic make sure you have a "Application Control" Policy and a "Web Filter" Policy attached (even if it is "Allow All")
- also check you have an active "Web Protection" subscription
- you can check the local logging under "System > Diagnostics > Log Viewer" and then "Web Filter" or "Application Filter" to see what is being generated locally
- if the subscription is active and the applications are not being identified from the console check the status of the application classification engine
from the console
system application_classification show
if the result is "off" run
system application_classification on
Leon Friend
Sophos Sales Engineer
Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP