Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 6272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM not logging allowed packets

RicoP

Hi All,

 

I am new to forum and new with Sophos.

I do know some basic troubleshooting as the KB was very useful.

We had this one concern where Sophos is not logging allowed packets in the syslog.

Please notice the log:

2018:01:21-14:2029 sg330-1 httpproxy[15747]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass"
method="CONNECT" scrip="172.20.8.103" dstip="206.17.25.188" user="" group="" ad_domain="" statuscode="200" cached="0"
profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="RED_DefaultHTTPCFFAction (Default content filter action)"
size="4737" request="0xafd8d600" url="https://att.inq.com/" referer="" error="" authtime="0" dnstime="2" cattime="0" avscantime="0"
fullreqtime="3246681" device="0" auth="0" ua=""
exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension"

While we want Sophos to log the entire link which is : 

https://att.inq.com/tagserver/launch/requestChatLaunch

 

Any help on this one.

 

Thank you in advance.



This thread was automatically locked due to age.
  • 0

    Hi All,

    I think i have found the answer i'm looking for but just need confirmation on this one.

    Do I need to enable HTTPS Inspection?

    Also, upon enabling this,

    What might be the pros and cons?

     

    Thank you in advance.

  • 0 in reply to RicoP

    Hey RicoP.

    So, what you really want is your web protection to log more levels of the URL, instead of only the domain. Is that it? Try changing Logging & Reporting > Reporting Settings > Web Protection Reporting Detail Level to 2 or 3 levels of URL and see if this solves it.

    For HTTPS Inspection I take it you mean enabling "Decrypt & Scan" under HTTPS, right? The pro is that every HTTPS connection will be in fact decrypted and scanned for malware and correctly classified by the filter. The con is that every client using the proxy would need to trust the proxy CA to avoid certificate warnings. Read this article for instructions. Note that not all sites, financial service sites included, do well with this feature, so I would enable it on very specific categories by enabling "Decrypt and scan the following" and picking up a few categories. The default usually works well.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Hi Giovani,

    I'll try this one and update you ASAP.


    Thank you,

  • 0

    Hi Rico and welcome to the UTM Community!

    I've not seen a partial line recorded in the Web Filtering log before.  Do a test as follows:

    1. Start the Web Filtering Live Log.
    2. In the 'Filter' box, put att.inq.com and touch enter.
    3. Browse to the full URL.

    What did you see?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    After filtering, same output, att.inq.com.

    I have not yet tried giomodas advice.

    Update you all once tested.

    Thank you all,

Unfiltered HTML