live monitoring of ping traffic

Regarding: "I'm coming from a Cisco ASA background and am finding the monitoring/logging on the UTM to be a bit difficult. On the ASA I could look a the syslog and see live monitoring of ALL traffic. Then filter accordingly. "

You can still log UTM to syslog, just like the Cisco.  This is part of how I troubleshoot.  I never even try to use the live log anymore.  And for live monitoring of ALL traffic, like Bob mentions, tcpdump is awesome.  It does have a bit of a learning curve if you are brand new to it, but you can filter it and see as much (or as little) as you want to see, including ascii dumps of whole packets.  Dump to a file, scp it out, then open  in Wireshark if you must.

This feature is not unique to Sophos UTM by any means, but once you get used to it, using only logs for live troubleshooting seems is incomplete.

Edit:  syslog to Cisco.  Long day, sorry.

Thanks Darrellr. I know Bob has mentioned it plenty of times on here too, so thanks there too Bob.

I actually gave it a shot tonight (tcpdump) and I am quite warming to it. It's very responsive and gives you the info you need and the syntax isn't too bad once you have a few shots of it. I'll endeavor to use it from now on.

Years ago, Jack Daniel, one of the original Astaro gurus, suggested:

A Tcpdump Tutorial and Primer | danielmiessler.com
http://danielmiessler.com/study/tcpdump/

I started with that, but now if I have a specific thing I haven't done before, Google finds it faster than I can work through Miessler's excellent piece.

Cheers - Bob

Is there anyway you can monitor what is going into a vpn tunnel?

As root at the command line, find the REF_ for the site-to-site tunnel named 'Portland':

 cc get_object_by_name 'ipsec_connection' 'site_to_site' 'Portland'|grep 'ref'

Assume that that returns REF_IpsSitPortland.  Now we can watch the traffic in the tunnel with:

espdump -n --conn REF_IpsSitPortland -vv

Cheers - Bob

Wow..... it just gets better! Thank you Bob, that's going to be one of the most useful commands I'll use.

And today I used the ipsec and tcpdump in anger. Brilliant. I'm a convert. We could see traffic hitting interfaces, ipsec tunnel etc.

In fact, I don't think I will use ping as much as I did now and will simply sit there waiting for X packet hitting Y network etc

Is there a way to see what firewall rules a packet hits?

And today I used the ipsec and tcpdump in anger. Brilliant. I'm a convert. We could see traffic hitting interfaces, ipsec tunnel etc.

In fact, I don't think I will use ping as much as I did now and will simply sit there waiting for X packet hitting Y network etc

Is there a way to see what firewall rules a packet hits?

Just a follow up. I've now used this on a frequent basis and would urge all UTM users (especially those with more complex networks) to spend a little time in using tcpdump.

It truly is the best tool I've used on the UTM and I don't go near the live log viewer any more. The level of detail is excellent and once you learn the filtering, it's great. It really has helped me out in the last week or so.

If you are logging to syslog, the rule id is one of the fields that is logged.

Allowed packets are only logged if logging is selected in the firewall rule.

Cheers - Bob