https://community.sophos.com/utm-firewall/f/network-protection-firewall-nat-qos-ips/90711/firewall-log-interpretationHi there, Thanx in advance for helping me understand Sophos UTM firewall/packagefilter a little more. Having kind a hard time to interpret some firewall logs on my utm 9.411-3. Maybe there is something wrong, maybe i am just not getting the concepten-USTelligent Community 12https://community.sophos.com/thread/329283?ContentTypeID=1Wed, 12 Apr 2017 11:56:22 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:41593234-d5fb-48d0-b283-8947ddbe7eb6BAlfson<p>Hi, Sebastiaan, and welcome to the UTM Community!</p> <p>As Dirk says, the MAC addresses represent the next physical hop to reach an IP - your ISP&#39;s router and your internal switch.</p> <p>Cheers - Bob</p><div style="clear:both;"></div>https://community.sophos.com/thread/328814?ContentTypeID=1Fri, 07 Apr 2017 13:52:26 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:4ab29f13-dbd8-486a-a72d-73878ff92042dirkkotte<p>That&#39;s OK. Thats how IP-routing works.</p> <p>within LAN (same subnet) you see the MAC for every device.</p> <p>With routing you see the MAC of the router for all IP&#39;s behind this device.</p> <p>This can be explained with OSI 7 layer model...</p> <p><a href="https://support.microsoft.com/de-de/help/103884/the-osi-model-s-seven-layers-defined-and-functions-explained">https://support.microsoft.com/de-de/help/103884/the-osi-model-s-seven-layers-defined-and-functions-explained</a></p> <p>The MAC address within packet are from L2. The L2 don#t know something from L3(IP). Here we see only communication between direct linked devices. (Router&lt;-&gt;Firewall or Firewall&lt;-&gt;endsystem)</p><div style="clear:both;"></div>