Syslog Messages over VPN. VPN is Sophos to Palo Alto

Hey All,

I have a customer who has a Local Australia office and an India office. We have a VPN between the Sophos XG230 Running V18.0.4 to the India Palo Alto.

I am trying to get the Sophos Syslog messages running over the VPN.

I have set the Console Level settings for the Remote Syslog Server to be an SNat for System messages

Looking at the traffic logs in the Palo Alto, they appear to receive about 2 packets of Syslog and then stop.

If I edit the Syslog settings, and save them, it appears to get 2 packets again.

I have set a VPN to my Office Sophos XG125 running V18.0.4 created a local Syslog Receiver, put in the Snat settings and I am receiving a lot of messages.

Is there a way of seeing the System Generated traffic being sent to the VPN? because it is system generated, it is not in the firewall or other logs.

Maybe there is a kernel log that it is displayed in, or somebody knows a setting for the packet capture which will show the System Generated traffic going out the IPSec VPN

Thanks

  • Would recommend to move to Route based VPN instead. Route based VPN will actually resolve the need of those SNAT commands. Simply put a static routing in place and start logging. 

    __________________________________________________________________________________________________________________

  • Hi there.

    Thanks for the advice, but unfortunately changing the IPSec tunnel is not something I can do. The Management at the Palo side determine the configuration (including creating tunnels that are demand based, but use the HO Palo as the initiator).

    When I installed the XG230 as an upgrade from the XG125, one thing was to keep the XG125 for a short time and test using Tunnel Interfaces and Route Based VPN but the Palo side management decided it not worth the time.

    I am currently stuck with the config as it stands.

    But if I initiate a ping from the Sophos to the Syslog Server which is on the other side of the VPN, 4 packets are sent, and received, but the Palo log only shows 1 log entry for traffic. I would have expected 4.

    I have no access to the Syslog Server, and no access to the Palo device, have to rely on the overseas Management to do the configurations.

    But when I test with a local setup, I see a stream of messages, so my belief is the Sophos side is correct, the Palo side has an issue.

    Regards,

    Gavin Daniels. DipIT(Networking)

     

     
  • Tcpdump will not log the traffic for the IPsec. But the packet capture on Webadmin does. So try this tool and see, what is going through the tunnel. 

    __________________________________________________________________________________________________________________