live monitoring of ping traffic

Enabling PING through the ICMP tab does not enable "logging" of ping. I recently found out that you have to create a rule on the firewall tab for ping and enable logging on the rule for it to show up in the logs. You have three ways to enable PING. The Global ICMP Settings enable PING/Traceroute together. The PING Settings just enable PING, while the Traceroute Settings just enable Traceroute. You don't "need" to have both the Global ICMP and PING Settings enabled. Even with both of those disabled, you can create a firewall rule to allow ping with logging and a targeted source and destination.

https://www.sophos.com/en-us/support/knowledgebase/121415.aspx

Another approach would be tcpdump at the command line:

tcpdump -ni eth0 icmp

Cheers - Bob

oddlly enough, I did that and still get no ping traffic showing, yes have the log box checked in advance

Bob,

I logged in as loginuser and ran this command at the prompt

<M>loginuser@x:/home/login >tcpdump -ni eth0 icmp

-bash: tcpdump: command not found

tried

usr/sbin/tcpdump -ni eth0 icmp

directory not found

I was sure tcpdump was pre-installed on 9.403-4, what am I missing?

I just tested and in order for it to show in the logs, it appears you have to have the "Global > Allow ICMP through gateway" and "Ping Settings > Gateway forwards pings" settings unchecked for the rule to log it. And you only get one entry per session, not per ping. To see another ICMP entry you have to wait for the session to timeout.

You also have to make sure that the rule that has logging enabled is higher than any other rule that allows ping.

If I remember correctly you have to sudo to Root after connecting as loginuser.

That didn't work for me either but I'm afraid that it wouldn't be a very good troubleshooting method anyway due to "And you only get one entry per session, not per ping. To see another ICMP entry you have to wait for the session to timeout."

That is bizarre, I find it hard to believe the webadmin does not offer a straight running syslog with filter options. rather like tcpdump but a bit friendlier and quicker to change filters. In comparison the old ASA becomes state of the art when it comes to troubleshooting.

the su did the trick thank you

I agree about the live reporting. I come from the Microsoft Threat Management Gateway 2010 world and you never had to enable logging for anything. It was just all logged in real time and had extensive log filtering capabilities built in. All data was logged in a single database or log file. With Sophos UTM, there is no comprehensive way to view all traffic in one place, well formatted, filterable in real time. This makes troubleshooting difficult because usually I am looking for what is not work as expected. However, we also have a competitors product and it is actually less robust in this area.

It is as if they had the marketing team tell the engineers to separate everything into little containers to "make it easy" and in doing so made it all but unusable. I guess in the end tcpdump through shell isn't the end of the world, but it is ridiculous for a product being touted to be managed completely through the webadmin. It isn't like the info needs created or gathered, it is there, just needs presented. Engineering please slip this Easter Egg in, we won't tell marketing...promise!