This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

live monitoring of ping traffic

I'm coming from a Cisco ASA background and am finding the monitoring/logging on the UTM to be a bit difficult. On the ASA I could look a the syslog and see live monitoring of ALL traffic. Then filter accordingly.

The specific thing I'm looking for now is the ability to monitor pings (ICMP). Being as you have to set up ping in the firewall rules I'd think the firewall live log would be the place to look. Well I must be thinking wrong because it is showing neither successful nor non-successful ping traveling from the LAN to the WAN.

I've found that if I search the firewall log, using the search log files tab I can see ping info, but I need to see it live to perform debugging.

Can someone provide me some direction please?



This thread was automatically locked due to age.
Parents
  • Enabling PING through the ICMP tab does not enable "logging" of ping. I recently found out that you have to create a rule on the firewall tab for ping and enable logging on the rule for it to show up in the logs. You have three ways to enable PING. The Global ICMP Settings enable PING/Traceroute together. The PING Settings just enable PING, while the Traceroute Settings just enable Traceroute. You don't "need" to have both the Global ICMP and PING Settings enabled. Even with both of those disabled, you can create a firewall rule to allow ping with logging and a targeted source and destination.

    https://www.sophos.com/en-us/support/knowledgebase/121415.aspx

  • oddlly enough, I did that and still get no ping traffic showing, yes have the log box checked in advance

  • I just tested and in order for it to show in the logs, it appears you have to have the "Global > Allow ICMP through gateway" and "Ping Settings > Gateway forwards pings" settings unchecked for the rule to log it. And you only get one entry per session, not per ping. To see another ICMP entry you have to wait for the session to timeout.

    You also have to make sure that the rule that has logging enabled is higher than any other rule that allows ping.

Reply
  • I just tested and in order for it to show in the logs, it appears you have to have the "Global > Allow ICMP through gateway" and "Ping Settings > Gateway forwards pings" settings unchecked for the rule to log it. And you only get one entry per session, not per ping. To see another ICMP entry you have to wait for the session to timeout.

    You also have to make sure that the rule that has logging enabled is higher than any other rule that allows ping.

Children
  • That didn't work for me either but I'm afraid that it wouldn't be a very good troubleshooting method anyway due to "And you only get one entry per session, not per ping. To see another ICMP entry you have to wait for the session to timeout."


    That is bizarre, I find it hard to believe the webadmin does not offer a straight running syslog with filter options. rather like tcpdump but a bit friendlier and quicker to change filters. In comparison the old ASA becomes state of the art when it comes to troubleshooting.

  • I agree about the live reporting. I come from the Microsoft Threat Management Gateway 2010 world and you never had to enable logging for anything. It was just all logged in real time and had extensive log filtering capabilities built in. All data was logged in a single database or log file. With Sophos UTM, there is no comprehensive way to view all traffic in one place, well formatted, filterable in real time. This makes troubleshooting difficult because usually I am looking for what is not work as expected. However, we also have a competitors product and it is actually less robust in this area.

  • It is as if they had the marketing team tell the engineers to separate everything into little containers to "make it easy" and in doing so made it all but unusable. I guess in the end tcpdump through shell isn't the end of the world, but it is ridiculous for a product being touted to be managed completely through the webadmin. It isn't like the info needs created or gathered, it is there, just needs presented. Engineering please slip this Easter Egg in, we won't tell marketing...promise!

  • It is a major let down on the UTM. It makes it very hard to debug. Hopefully they can get this sorted with maybe some filtering options at the top.

    A live log on a production firewall is a must.....

  • What problem are you trying to solve, Louis?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    we have an ipsec client who terminates on the UTM but then gets natted out to a specific network that is fairly restrictive.

    We need to see traffic coming from the ipsec remote lan and hit the 2nd remote network. We're there but setting it up wasn't easy as it was hard to see where the traffic was going on the live log viewer using ping.