This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to record outbound traffic logs to particular destination

We've been using Sophos UTM 9 for a long time now in our application environment to protect a SaaS offering of ours. A component of our app allows our customers to write custom scripts and execute them in parts of their batch processes. These scripts execute on our network and can sometimes call restful webservices running on a web app in their network. We can see thousands of these requests a second to a particular destination in certain situations. Over the years we've had select customers that have had issues where a small percentage of their requests fail to connect. We've helped improve the experience by adding automatic retries for them. This unfortunately masks the underlying issue and it always gets kicked down the road.

We've been tracking and focusing on them more lately trying to eliminate where possible. We believe it's their side failing to respond to the connection attempt but I don't know enough to confirm that from our side. We've worked with Sophos support before on this and but they found no dropped packets. In the past couple of months we've managed to completely eliminate these connect failures for a handful of customers by meeting with them and working through the problem with them. Some were using Cisco Firepower Thread Defense firewalls and said they found I7 inspection rules dropping some of the flows. He added a fast path pre-filter rule and that eliminated the drops. Another was using a WatchGuard Firewall and were originally using a HTTPProxy firewall rule. He replaced the HTTPProxy firewall rule with a standard packet filter rule and that resolved their issues. We still have another handful of customers with similar issues but we've had difficulty getting through to them because for whatever reason our customers first course of action is always pushing this back on us.

I apologize for the long winded post. Ultimately my question is, is there a way utilizing the functionality in Sophos to identify/prove these scenarios? We're a small shop and just don't have the expertise in house.

Thanks you!

This thread was automatically locked due to age.