We have to log all accesses to certain client systems from now on "for reasons". And actually in such a way that these accesses can be assigned to specific employees.
This should be done for http accesses via the WebProxy (running in transparent mode) as well as all other protocols, especially https and SSH.
Can the UTM do this and if so, how do I set it up?
In perspective, I would like to have a resolution of IP addresses to persons, as I can hardly reconstruct retrospectively who got which DHCP address at what time with which device. There is an extremely loose BYOD policy here :-(
Is there a possibility that access to the customer networks is only allowed after logging on to the UTM?
This should work from OSX, iOS, Windows and Android, from the LAN and from the VPN.
Many thanks for your ideas!
lg - Chris
Good day and Thanks for reachong out to Sophos Community and hope you are well.
For number 1:
-Web Proxy Live logs can be viewed in Web Protection > Web Filtering > Live Log
- For HTTPS FW rules, Make sure your FW rules for have the Log Traffic Checked:
-Logging and Reporting (Historical) can also be reviewed under: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/LoggingAndReporting.htm
-For SSH Live logs, you can view under System settings > Shell Access > Live Logs and for CLI/Shell it is under sshd.log
For Number 2:
- You may try for the use case for Authentication only those who logged in with specified credentials will be able to access web: https://docs.sophos.com/nsg/sophos-utm/utm/9.708/help/en-us/Content/utm/utmAdminGuide/WebProtWebFilteringGlobal.htm
DHCP and BYOD features:
-Lease details available if you will be using UTM as DHCP:
-I may recommend Sophos Mobile for a more comprehensive solution for BYOD use case: https://www.sophos.com/en-us/products/mobile-control it supports OS, Android, Windows, macOS. You may contact and reach out to your local partner/ local AM or SE for more details on this
Hope this helps. Have a nice day and thank you for choosing Sophos
Raphael AlganesCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
I enabled "WebProxy - Log only-mode" for https. Unfortunately that broke routing for some target hosts through IPSEC LAN tunnel. The proxy grabs all the traffic before any routing or NATing rule can be applied. Is there any solution for that? Whitelisting these targets does not help.
And: I was not looking for logging SSH access to the UTM itself but for ssh through the UTM to costumer sites. I do not need to know what the client does there I just have to notice that there was an access to.
Thanks & cheers - Chris
Good day and hope you are well.
May you share screenshot of the said configuration? "WebProxy - Log only-mode" Thanks
For logs of SSH through UTM to Cx sites, you need to configure a Firewall Rule from *Designated network->Customer IPs& using SSH Service (Port22) then check the log firewall traffic on the firewall rule.
Have a nice day and thank you for choosing Sophos
sorry for my delay.
I misspelled the Webproxy: It is "URL filtering only" mode under WebProtection => Webfilter=>"https"
When I switch on this option I can see https traffic in webfilter logfile. But unfortunately now the https traffic for some costumer sites that are only reachable via IPSEC tunnel is broken.
I guess the webproxy grabs that traffic and does not reroute it through the necessary tunnel.
Is there any solution how I can route traffic after passing webfilter? Right now I have to disable that option therefore....
Thanks - Chris
For your mentioned use case in Web Filtering you need to put the LAN network of the Branch office on the Web Filtering "Allowed Networks" on the SG device (Probably the Main/Head office where you would to use HTTPS proxy
Then on the VPN settings of Main office > Local Networks create and use network objects of the Branch then vice versa, Branch should be configured to have Network definitions and Internet of (Head Office) to it's remote networks.
tank you for your answer.
But it is not a branch. We have IPSEC tunnels to different costumers. They work as expected - until I switch on webfilter for https.
And unfortunately adding the costumer target network(s) to allowed networks on webfilter global policies does not help to route the https traffic from LAN to costumer sites via the tunnel again. Clients will end up in a tie out and I have to switch off https filtering as soon as I can.
Cheers - Chris