This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hide Default DROP messages in live log

Hello community,

 

is it somehow possible to hide default drop messages in the live log? This "spamming" makes troubleshooting respectively configuration much harder. Becaus the reading of the live log is harder.

 

Have a nice day!



This thread was automatically locked due to age.
Parents
  • Hi

    Default Drop messages can be an issue with log size as well. I would suggest creating a default drop rule manually at the bottom and keep Log traffic option unchecked. This will not log any of the dropped traffic logs. The good thing about this; it will reduce resource usage and hard-disk space usage. And the bad thing; you will never know what traffic was dropped by UTM unless you start a live packet capture to see the traffic.

    Regards

    Jaydeep

Reply
  • Hi

    Default Drop messages can be an issue with log size as well. I would suggest creating a default drop rule manually at the bottom and keep Log traffic option unchecked. This will not log any of the dropped traffic logs. The good thing about this; it will reduce resource usage and hard-disk space usage. And the bad thing; you will never know what traffic was dropped by UTM unless you start a live packet capture to see the traffic.

    Regards

    Jaydeep

Children
  • Hey Jaydeep,

    thanks for your quick reply. How should such a manual drop rule look like? I searched the forum and found no clear answer.

     

    I got Traffic dropped from LAN to WAN, from WAN to LAN, from LAN to LAN and WAN to WAN.

     

    Is there any better way then doing this:

    Rule 1 |  Office (Network) | Any | Internet IPv4 | Drop

    Rule 2 |  Internet IPv4 | Any | Office (Network) | Drop

    Rule 3 |  Internet IPv4 | Any | Internet IPv4 | Drop

    Rule 4 |  Office (Network) | Any | Office (Network) | Drop

  • Hallo Erik,

    I recommend against disabling default drops as there is more information useful for debugging in those log lines than in a manual Drop rule that is logged.

    When watching the Firewall Live Log, use the Filter box at the top to limit displayed traffic to just the IP you're working on.

    Your suggested Rule 3 and Rule 4 should have no effect.  Rule 2 also would have no effect unless you had a DNAT or Full NAT that didn't use automatic firewall rules.  Rule 1 would block all outbound traffic except that handled by a Proxy.  In any case, if you did want such a rule, you would want to position it at the bottom as Jaydeep suggests.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks BAlfson,

     

    I deleted the rules and work on with filtering. fwrule="8" or so helps alot. At the moment i don't have a performance or storage problem.