Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 3466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log all traffic to specific networks

Chris69

Hello,

We have to log all accesses to certain client systems from now on "for reasons". And actually in such a way that these accesses can be assigned to specific employees.

Question 1:

This should be done for http accesses via the WebProxy (running in transparent mode) as well as all other protocols, especially https and SSH.

Can the UTM do this and if so, how do I set it up?

Question 2:

In perspective, I would like to have a resolution of IP addresses to persons, as I can hardly reconstruct retrospectively who got which DHCP address at what time with which device. There is an extremely loose BYOD policy here :-(

Is there a possibility that access to the customer networks is only allowed after logging on to the UTM?

This should work from OSX, iOS, Windows and Android, from the LAN and from the VPN.


Many thanks for your ideas!

lg - Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chris,

    Good day and Thanks for reachong out to Sophos Community and hope you are well. 

    For number 1:

    -Web Proxy Live logs can be viewed in Web Protection > Web Filtering > Live Log

    - For HTTPS FW rules, Make sure your FW rules for have the Log Traffic Checked:

    -Logging and Reporting (Historical) can also be reviewed under: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/LoggingAndReporting.htm

    -For SSH Live logs, you can view under System settings > Shell Access > Live Logs and for CLI/Shell it is under sshd.log

    For Number 2: 

    Authentication:

    - You may try for the use case for Authentication only those who logged in with specified credentials will be able to access web: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/WebProtWebFilteringGlobal.htm

    DHCP and BYOD features:

    -Lease details available if you will be using UTM as DHCP: 

    -I may recommend Sophos Mobile for a more comprehensive solution for BYOD use case: https://www.sophos.com/en-us/products/mobile-control it supports OS, Android, Windows, macOS. You may contact and reach out to your local partner/ local AM or SE for more details on this

    Hope this helps. Have a nice day and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi Raphael,

    thank you for your input. 

    Ad Q1:

    For Http I can use http.log - but http is really a minor problem.

    Most traffic uses https which is not crossing the webfilter. But even in the packetfilter.log this traffic seems to be not logged although the "log" checkbox is ticket in the firewall rule for allowing https.

    Wenn I open "https://Some IP" on an internal client the CLI

    "tail -f /var/log/packetfilter.log | grep "Some IP""

    shows nothing.

    A quick search for a firewall rule on a lower position allowing https was negative.


    Ad Q2

    AFAIK Authentication is only useful to generally allow clients to use or not use the Webfilter-Part of the UTM. If https is not running across squid it seems a bit useless - or do I misunderstand something here? If this is enabled - does the UTM logs in clear text WHICH user reached out for WHICH Website?

    Is there any good tutorial on how to implement webfiltering for https? In former times we struggled a lot with this feature. Esp. as we are a coding company and all the developers have to test again and again their output somewhere out in the web. We had caching issues as well as a lot of work with certificates so some years ago I simply switched off https proxy.

    FW as DHCP is not an option because there is a DMZ between FW and clients and DHCP traffic is not wanted there.

    Thank you for the link to "Sophos Mobile" - but there are to many "personalities" from different companies inside. I will never be able to get all their gadgets and install a "remote control" (description by feeling!) on them. 

    Cheers - Chris

Reply
  • 0 in reply to Raphael Alganes

    Hi Raphael,

    thank you for your input. 

    Ad Q1:

    For Http I can use http.log - but http is really a minor problem.

    Most traffic uses https which is not crossing the webfilter. But even in the packetfilter.log this traffic seems to be not logged although the "log" checkbox is ticket in the firewall rule for allowing https.

    Wenn I open "https://Some IP" on an internal client the CLI

    "tail -f /var/log/packetfilter.log | grep "Some IP""

    shows nothing.

    A quick search for a firewall rule on a lower position allowing https was negative.


    Ad Q2

    AFAIK Authentication is only useful to generally allow clients to use or not use the Webfilter-Part of the UTM. If https is not running across squid it seems a bit useless - or do I misunderstand something here? If this is enabled - does the UTM logs in clear text WHICH user reached out for WHICH Website?

    Is there any good tutorial on how to implement webfiltering for https? In former times we struggled a lot with this feature. Esp. as we are a coding company and all the developers have to test again and again their output somewhere out in the web. We had caching issues as well as a lot of work with certificates so some years ago I simply switched off https proxy.

    FW as DHCP is not an option because there is a DMZ between FW and clients and DHCP traffic is not wanted there.

    Thank you for the link to "Sophos Mobile" - but there are to many "personalities" from different companies inside. I will never be able to get all their gadgets and install a "remote control" (description by feeling!) on them. 

    Cheers - Chris

Children
  • 0 in reply to Chris69

    Hallo Chris,

    If management won't give you permission to make changes to the current setup and then support you when people complain, there's no way to accomplish what they want.  I suspect that they will want to find a different solution if they won't agree to give you the support you'll need to lock things down.

    Maybe if we knew the problem they're being confronted with instead of the solution they've imagined, we could be of more help...

    Viel Glück !

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    right you are and I am sure, the CEOs will accept either one thing or the other.

    Right now we are in the middle o a merging process of 6 companies and I am the only full stack admin and have to integrate a bag of fleas with a bunch of different compliance rules for different costumers with different solutions. E.g. I have to bypass for some peaple the UTM using their "BYOD"-style Fortinet Firewall.

    My goal is to get rid of that poisonous zoo and to manage all via ONE user directory and ONE defined infrastructure as I did id for our company.

    Thats why I simply want to log things that happen right now... 

Unfiltered HTML