Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 2993 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic flow troubleshooting - log file investigation

Rob Pelletier1

Haven't installed or used too many Sophos devices, but I have some out there.

Recently had a client report that all software updates have been failing since their Sophos SG115 (UTM9) was installed.

Months ago - nobody thought to let me know.

This unit has a bunch of security things installed:   Web Filter, IPS, etc etc

Been looking through the support site, and I don't see anything that attempts to instruct on using the log files to determine what security module is causing this.   How would a guy interpret them?   There are a bunch of logs - which to use?  How to read them?   If I have to go through every individual log file, is there an ideal order to inspect them in?

When I'm really frustrated, I think this product, as functional and diverse as it is, is not really well-designed.   What good is it that all these modules and features are there if there's no way to manage or troubleshoot it?

Starting to realize, however, that it may not be so much an issue of poor design as it is poor documentation.

Has anyone seen an article that walks someone through the process of searching for what might be blocking a particular type of traffic?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Regardless of the product, when troubleshooting a problem, there is no good substitute for expert knowledge.   If UTM is new to both you and the client, then one of you should be paying for Sophos Support.

    The next step in troubleshooting is to define the problem.    What network traffic will "software updates" generate?   Once you know that, you know where you are looking for traffic disruptions.

    For most automatic updates, the traffic flows over https, so web filter is the first place to look.   However, UTM comes with a factory-supplied exceptions to cover Windows Updates, Adobe Updates, and some other common ones.   Has someone disabled these exceptions?  Which web filtering mode is in use?   Have your turned on Country Blocking?   Your problem is uncommon.

    Other places to look:

    • Firewall log sees traffic NOT handled by web filter, such as traffic on non-standard ports.   Default-block packets should be logged.   You can create new rules to add logging for allowed traffic.   The firewall live log is abbreviated for performance reasons.   View the full log for additional data.
    • Intrusion Protection System can block suspicious web replies.   These will also show up in the Web Filter logs as timeouts (with a later timestamp than the IPS log)

    UTM logging is in syslog format, so it also assumes that you have an SIEM tool to ingest syslog files and analyze them. 

    This forum has excellent supplements for what is missing from the documentation.   Read the Wiki section.   Then look at the articles at the top of each sub-topic forum.   Most of them have entries that the moderator has pinned to the top because they provide useful reference material.   

    All of this can make you more self-sufficient over time, but we cannot provide a quick fix to a problem caused by running a mission-critical complex device without vendor support.

Reply
  • 0

    Regardless of the product, when troubleshooting a problem, there is no good substitute for expert knowledge.   If UTM is new to both you and the client, then one of you should be paying for Sophos Support.

    The next step in troubleshooting is to define the problem.    What network traffic will "software updates" generate?   Once you know that, you know where you are looking for traffic disruptions.

    For most automatic updates, the traffic flows over https, so web filter is the first place to look.   However, UTM comes with a factory-supplied exceptions to cover Windows Updates, Adobe Updates, and some other common ones.   Has someone disabled these exceptions?  Which web filtering mode is in use?   Have your turned on Country Blocking?   Your problem is uncommon.

    Other places to look:

    • Firewall log sees traffic NOT handled by web filter, such as traffic on non-standard ports.   Default-block packets should be logged.   You can create new rules to add logging for allowed traffic.   The firewall live log is abbreviated for performance reasons.   View the full log for additional data.
    • Intrusion Protection System can block suspicious web replies.   These will also show up in the Web Filter logs as timeouts (with a later timestamp than the IPS log)

    UTM logging is in syslog format, so it also assumes that you have an SIEM tool to ingest syslog files and analyze them. 

    This forum has excellent supplements for what is missing from the documentation.   Read the Wiki section.   Then look at the articles at the top of each sub-topic forum.   Most of them have entries that the moderator has pinned to the top because they provide useful reference material.   

    All of this can make you more self-sufficient over time, but we cannot provide a quick fix to a problem caused by running a mission-critical complex device without vendor support.

Children
No Data
Unfiltered HTML