Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 3177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Global Monitor??

sargehendricks
Is there a super-secret feature where I can see all traffic to/from a host in real-time along with the policy that may be impacting it?  There have been multiple times where I have needed to figure out why traffic is being blocked, and there is nothing in the rules of the various policies to be the obvious culprit.  I then have to try to go through each feature/application and watch the real-time log as the traffic is attempted.  When I don't see the problem, go to the next feature/application and monitor that.

I'm just curious if there is a single place (I don't care if it's command-line) where I can put in an IP address and see what is dropping/rejecting it's traffic... whether firewall, advance threat protection, IPS, web filtering, application control, etc.  It would make troubleshooting SOOO much faster.

Thank you.


This thread was automatically locked due to age.
Parents
  • 0
    It's not real-time, but you can do something like:

    grep '66\.77\.88\.99' /var/log/*.log |more


    Before I did that, I would try #1 in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    It's not real-time, but you can do something like:

    grep '66\.77\.88\.99' /var/log/*.log |more


    Before I did that, I would try #1 in Rulz.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    BAlfson,

    Thank you for the reply.  Sorry it has take me so long to get back to you, but I have run into another issue where the "Global Monitor" would be very handy.  

    I have been using the live log in the firewall to verify that traffic I am expecting is getting NATed properly and allowed to it's intended destination.  Wireshark traces on the destination device, however, show that the traffic is not getting there.  Since there are only "dumb switches" (no layer 3 switches) between the UTM and the device, I have a feeling that some other component of UTM is denying the traffic.

    I am trying your grep suggestion, because trying to find this needle via all of the individual logs is taking forever.  I'll run the command and let it go, so I can come back and check on it later.

    Thanks for the help!
Unfiltered HTML