Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4405 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.4 reporting logging downloads by computername instead of username

SQService Desk

UTM 9.4 is reporting web activity by the username correctly, except for downloads.  When a user downloads a 500MB ISO for example, the logging shows the computername / hostname instead of the username.  Can anyone help explain why this happens and how to change it, so that all traffic is logged by the user. 

We are using standard mode with Active Directory SSO authentication.  We don't have any exceptions configured to skip authentication, and nothing set in the Bypass Users tab, so I am at a loss as to why this is happening.



This thread was automatically locked due to age.
  • 0

    Hi, and welcome to the UTM Community!

    Please show a line from the Web Filtering log file where such a download passed through.  Also, insert a picture of the report that seems erroneous.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, below are some screenshots to better explain the situation. 

    Here is the default Sophos download page, with Sophos and our company branding.  There is a progress bar, and most importantly, the URL has changed to a different address during the download (passthrough.fw-notifty.net....).  I believe this is the UTM intercepting the download so it can be scanned before delivery to the browser for the user to download:

    While the download occurs, I tailed the Sophos logs.  Two lines are shown.  
    The first shows all useful information - source/dest IP, user, group and referrer URL.  This is from when I accessed the page where the download was located.
    The second shows what happened when I click the download link - now only the source IP and the file to be downloaded is shown, but all other information is stipped, and the URL is now "passthrough.fw.hotify.net/..."

    If you then run a report in Sophos, you'll see my username is logged for browsing, but my hostname is logged for the download: 

    As I mentioned earlier, there are no exceptions in place and there should be no reason why my machine would be accessing the internet unauthenticated.

    Then, I looked through every screen and setting and came across this one as an option in exceptions:

    I have worked out that if you make a new exception for users (just my user in this test) where the Download/Scan Page is not displayed, then the logs keep all the information and the URL does not change.  The same two lines from the logs are shown below: 

    And sure enough, re-running the same report shows only my username for the download.

  • 0 in reply to SQService Desk

    Very cool - I think you've uncovered an undocumented feature! [:O]

    You might make a feature suggestion to have the user's name added to the passthrough line so that reporting is more consistent.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML