This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Logging and reporting shows traffic from just one user

Hi All,

I am very new to networking and also to Sophos UTM. I just installed Sophos yesterday and everything else seems to be working fine except Logging and Reporting --> Web protection shows traffic generated by just one user. Here is my setup:

I have Verizon Fios router & modem where I disabled the wireless functionality and I put modem into DMZ to a WAN port(eth1) of my Sophos UTM. I have wireless router attached to my internal network (eth0). All wired and wireless traffic is distributed from that ASUS wireless router. When I see the web report, I see that all traffic is coming from 192.168.2.2 but my wireless router address is 192.168.3.1

Is there anything I can do so that traffic is correctly captured in UTM? Is there any way to display machine name traffic generated from instead of IP address? because it it very difficult to relate the machine name to IP address.

 

I am also concerned about one and only firewall rule I have created looking at some tutorial. I have Internal Network --> Any  --> Any rule setup. I heard that it is like disabling the firewall altogether. Can you please suggest what can I do to make it more stricter?

I also have two Masq rules:

External (WAN) (address) --> Internal

Internal (Network) --> External (WAN)

Is this the correct Masq rule.

I appreciate it.

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hi Andy and welcome to the UTM Community!

    You should either have no reporting for a feature or reporting for all devices using that feature.  You can try the following to re-initialize your PostgreSQL databases, but you may need to re-install with a new DVD burned at 4x or slower.

    /etc/init.d/postgresql92 rebuild

    To get host names instead of IPs, use DNS best practice if you have an internal DNS server.  If the UTM is doing DHCP for your internal network, study DHCP and "Hosts with static mapping."

    'External (WAN) (address) --> Internal' has no effect.

    One of the unwritten rules here is "one topic per thread" - that's to make it easier for future members to find an answer to their question without starting a new thread that's already been answered.  Please ask your firewall-rule question in the Network Protection forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I don't understand what reporting has to do with PostgreSQL database. I believe it is caused by my wireless router connected to the utm internal network and IP request is not being passed on to the utm from my wireless router.

    If I disable dhcp on wireless router, whole wireless network in my house cease to work. I even couldn't access router's interface. I had to reset the router to get its interface back and enable wireless networking.

    I don't have internal dns server. I use Google dns for dns resolution.

    First problem is truly a major issue since I want to see individual computer traffic in my reporting feature. I will appreciate your help.

    Thanks

    Andy

  • Once you get the hang of WebAdmin, you'll really like this.

    The preferred topology is:

    [Internal Wireless Devices]<-->[Wireless Switch]<-->[UTM]<-->Internet

    To make a "Wireless Switch" out of your wireless router can be done in two different ways.  Some will allow you to put the router in bridge mode.  With others, you just tape over the WAN port and connect one of the LAN ports to the UTM instead.  In any case, you will want to disable DHCP on the wireless router and have the UTM do DHCP.

    I assumed that you had searched here and come up with the preferred approach, so you're right that my first response above was off base.

    Also, if you want to have your devices identified by name in Reporting, you will want to have DHCP use Host Definitions to assign static IPs.  Note that all statically-assigned IPs must be outside the dynamic range of your DHCP server definition.

    Cheers -Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Thanks for your response.

    As you mentioned, I have an exact same setup:

    [Internal Wireless Devices]<-->[Wireless Switch]<-->[UTM]<-->Internet

    Now We know that wireless router (wireless switch) is causing an issue because currently it acts as DHCP provider. I looked at my ASUS router and it has nothing to put it in a bridged mode. It has something called AP (Access Point) mode. Can you please advice on that?

     

    Thanks

    Andy 

Reply
  • Bob,

    Thanks for your response.

    As you mentioned, I have an exact same setup:

    [Internal Wireless Devices]<-->[Wireless Switch]<-->[UTM]<-->Internet

    Now We know that wireless router (wireless switch) is causing an issue because currently it acts as DHCP provider. I looked at my ASUS router and it has nothing to put it in a bridged mode. It has something called AP (Access Point) mode. Can you please advice on that?

     

    Thanks

    Andy 

Children
  • I would try that to see if it gets an IP for itself from the UTM.  If not, then tape over the WAN port on the ASUS and connect it via a LAN port.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA