This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to use Packet Filter option for live logs IP adress

Nick KEY over 1 year ago

Hi,

an I have some information regarding how exactly it is working and can I have some example of it?

how can I set filter?

\.172.\.10\.10\.1

how?

Regards

This thread was automatically locked due to age.

Top Replies

Vishal_R over 1 year ago +1 suggested

Hi Nick KEY If you are referring XG Live Log Viewer filter then the below option will help to add a filter as per your requirements. If below not the one which you are referring in your query then please…

0 Vivek Jagad over 1 year ago in reply to Nick KEY

In that case I'd suggest, open a putty session > login with the root
under the cd /var/log directory and execute the following cmd:
#cat /var/log/packetfilter.log | grep <srcip=x.x.x.x> | grep <dstip=xxxx>

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nick KEY over 1 year ago in reply to Vivek Jagad

I put on the filtering following

srcip="172.10.10.1" and try to connect

It show me now

UDP 172.10.10.1:500--->20.20.100.12:500

TCP 172.10.10.1:49688--->20.20.100.12:6501

UDP 172.10.10.1:49689--->20.20.100.12:6502

TCP 172.10.10.1:49690--->20.20.100.12:6502

What should I now define as services???
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Nick KEY

Alright so in the following example:

TCP 172.10.10.1:500--->20.20.100.12:500

this is your srcip - 172.10.10.1 | srcport - 49688 | dstip - 20.20.100.12 | dstport - 6501
services are 49688 & 6501
now try to filter out the service/ip you are looking for !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nick KEY over 1 year ago in reply to Vivek Jagad

can I create a service from 48000:49999? Or what is the best praxis?

What is with 6501 and 6502 and 500?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Nick KEY

can I create a service from 48000:49999?
Yes, you can > under the Definitions & users > Service definitions
UDP Port 500 service is used for IPsec
TCP Port 6501/6502 are used for endpoint communication.
https://www.auditmypc.com/tcp-port-6501.asp
https://www.auditmypc.com/tcp-port-6502.asp

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nick KEY over 1 year ago in reply to Vivek Jagad

should I not create services for ports 6501/6502 and 500???? But it seems it is dropped
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to Nick KEY

if the packets are dropped, then no need to create it !
by default any service which is not explicitly allowed in the firewall rules, will be dropped Nick KEY

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Nick KEY over 1 year ago in reply to Vivek Jagad

I will try it without the service definition for ports 6501/6502 and 500, if I have still issue with that ports, can I create it?
Cancel
Vote Up 0 Vote Down

Cancel
+1 Vivek Jagad over 1 year ago in reply to Nick KEY

Yes you can !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Nick KEY over 1 year ago in reply to Vivek Jagad

I will try it without the service definition for ports 6501/6502 and 500, if I have still issue with that ports, can I create it? Yes Or NOT? What do you mean?
Cancel
Vote Up 0 Vote Down

Cancel