Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 18648 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NAT logs

techeme

Hi all,

I guess it's a simple question: but where can Masquerading/NAT logs be found?

Thank you in advance



This thread was automatically locked due to age.
  • 0

    Hi, Eric, and welcome to the UTM Community!

    You can selectively log NAT rules, and that shows up in the firewall logs.  There is no way to log masquerading. What problem are you trying to solve that lead you to ask this question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks for the answer. Too bad for the masqerading logs.

    On one of our UTM, the IPS was activated on the WAN interface. Not very useful, but whatever. What is strange is that it dropped some packets originating from our WAN interface IP and targeting some Amazon servers. I was trying to know what sent these packets, with the assumption that it was not my UTM who really sent them.

    I have nothing in the firewall logs that match neither the target IP at the time the IPS drop these packets.

    So I was willing to take the other approach and see if NAT could tell us who was masquerading with this port on the WAN IP at this time.

    I guess I am in front of a deadend then, without possibility to investigate further.

    For information, the IPS rule that was triggered:

    36825

    PUA-ADWARE DealPly Adware variant outbound connection

    Malware

    12
  • 0 in reply to techeme

    Please show the complete line from the log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson 
    Sure, here it is:

    2016:03:15-12:15:03 <firewall name> snort[15316]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="PUA-ADWARE DealPly Adware variant outbound connection" group="500" srcip="<our WAN IP>" dstip="<some public Amazon IP in Ireland>" proto="6" srcport="25882" dstport="80" sid="36825" class="Misc activity" priority="3" generator="1" msgid="0"

    Regards
  • 0 in reply to techeme 
    dstport="80" - Check the Web Filtering log file at that time.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Indeed, this led me to find out who was the origin of this IPS trigger.

    Strangely, the IPS logs and the corresponding http logs have exactly 1 min and 1 sec of delay (when IPS log something at 12:12:06, the corresponding http log is at 12:13:07). But that's really far from my initial post question, so I will stop there.

    Thanks for your valuable help

    Regards

Unfiltered HTML