Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Sophos iView
Log Generation
Sophos UTM Firmware Version: 9.209-8
Sophos iView Version: 1.000-11
Document Date: Wednesday, December 10, 2014
Page | 1
Contents
1) Introduction ..................................................................................................................................... 3
2) Basic Prerequisite Configuration ..................................................................................................... 4
3) Firewall Rule Based Usage Logs ..................................................................................................... 15
4) Web Usage Logs ............................................................................................................................ 21
5) Blocked Web Attempts Logs .......................................................................................................... 26
6) Blocked Applications Logs .............................................................................................................. 28
7) FTP Usage Logs............................................................................................................................... 32
8) Mail Usage & Spam Logs ................................................................................................................ 35
9) Virus Logs ....................................................................................................................................... 39
10) Search Engine Logs......................................................................................................................... 43
11) Attacks Logs46
12) WAF Logs.48
13) VPN Logs..53
14) SSL VPN Logs.72
Page | 2
Introduction
This document describes the method of generating logs in Sophos iView for different modules
of Sophos UTM. This document describe step by step configuration of Sophos UTM for each
modules to generate the logs of the same modules in Sophos iView.
This document is prepared based on Sophos UTM Firmware Version: 9.209-8, Pattern Version:
70611 and Sophos iView Version: 1.000-11.
Page | 3
Page | 4
B. Management
Management -> System Settings -> Organizational
As shown in below Figure, Organizational Information should be configured.
FIGURE: System Setting -> Organizational
Page | 5
Page | 6
Page | 7
Page | 8
Page | 9
2. Fill the details like Username, Real Name, Email Address, Authentication= Local, Password &
Click on save as shown in below Figure.
Note: For testing purpose we have selected authentication method as Local but you can
select other authentication method also.
FIGURE: Fill new user details
Page | 10
Page | 11
E. Network Protection
Network Protection -> Firewall
Firewall rule must be configured to allow/deny traffic from internal network to outside network i.e.
internet network. To generate logs we can create only one rules i.e. Rule 6 to allow any traffic from
source network to destination network as shown in below Figure.
Method to create the Rule is described in Firewall Rule Based Usage Logs -> Firewall rule to allow traffic.
Click here to go to the steps. Same way create rule 6.
Rule 4 is for allowing traffic from internal network to any destination network. Rule 5 is for Wireless
Guest Network to allow web traffic to internal IPv4 network. Rule 6 is for all other traffic to allow from
any source network to any destination network like IPsec VPN, SSL VPN, PPTP VPN and L2TP VPN etc...
FIGURE: Firewall Rule
Page | 12
Page | 13
Page | 14
Below widgets logs from Firewall Rule Based Usage in Sophos iView can be generated by configuring
Firewall Rule in Sophos UTM to deny all traffic from internal network to Internet.
1.
2.
3.
4.
Now to configure Firewall Rule in Sophos UTM in two different ways follows below steps
1.
2.
3.
4.
5.
Page | 15
FIGURE: Click on New rule (Network Protection -> Firewall -> Rules)
3. Configure Position=Top. Now to configure Sources, Services and Destination click on Browse
button (located near + button) and select appropriate configuration as shown in below Figure.
Configure Action=Allow, Enable Log traffic by tick mark on check box.
FIGURE: Configure Firewall Rule
Page | 16
4. Save the Rule -> it will create rule in disable status as shown in below Figure.
FIGURE: New rule created with rule no. 5 in disable status
Page | 17
FIGURE: Firewall Rule Based Usage Logs in Sophos iView for Allow Traffic (Left side widgets)
Page | 18
3. Now to edit Action=Drop, click on Action dropdown list & select Drop. See below Figure.
FIGURE: Select Action=Drop to deny traffic
4. Click on save. You will get the Rule 5 as shown in below Figure.
FIGURE: Rule no. 5 to deny all traffic.
Page | 19
Page | 20
Now Make Policy to apply different Filtering Actions to specific users, groups or time periods. Follow
below process for adding Web Filtering Policy.
1. Go to Web Filtering -> Policies.
2. Click on + button to add policy.
3. Add following details Name, Users/Groups, Time Event, Filter Actions (Default Filter Action is
configured here) as shown in below Figure.
Page | 21
6. Enable/Activate the Policy after clicking on the button provided at Policy Name. See below
Figure.
Page | 22
Page | 23
4. Click on Next
5. Enable Policies Policy1 as shown in below Figure.
FIGURE: Enable Web Filtering Policies Policy1 (Web Filter Profiles -> Filter Profiles)
7. Generate some web traffic & you will get live logs (Web Protection -> Web Filtering -> Global ->
Click on Open live log tab) as shown in below Figure.
Page | 24
FIGURE: Live Log of Sophos UTM Web Filtering after generating Web Traffic from Sophos UTM
You can find Sophos UTM web filtering logs in Sophos iView at REPORTS -> Web Usage as shown in
below Figure.
FIGURE: Web Usage logs in Sophos iView.
Page | 25
Page | 26
Page | 27
Page | 28
2. Click on Control this Application & select all those application that you want to block. Here we
have selected all application for log generations as shown in below Figure and then click on
apply.
FIGURE: Select All Application to Control
Page | 29
4. After saving & creating new rule, you can see the new rule as shown in below Figure.
FIGURE: Application Control Rules to Block Application Traffic
5. Now generate some traffic for some application & click on open live logs from Web Protection ->
Application Control -> Application Control Rules & you will get results as shown in below Figure.
Note: As shown in below figure, all Blocked application traffic is falling under Application Control
Rule # 1 because we have created only one rule with rule ID # 1. If you want to create logs with
different Application Control Rule ID other than Rule ID=1 then multiple Application Control
Rules should be configured in Sophos UTM for different applications as per requirement.
Page | 30
You can find Sophos UTM Application Control traffic in Sophos iView at REPORTS -> Blocked Application
as shown in below Figure.
FIGURE: Blocked Application logs in Sophos iView
Page | 31
B. Antivirus Configuration
Antivirus Configuration
2. Configure Antivirus from Web Protection -> FTP -> Antivirus as shown in below Figure.
Page | 32
Page | 33
You can find Sophos UTM Application Control traffic in Sophos iView at REPORTS -> Blocked Application
as shown in below Figure.
FIGURE: FTP Usage logs in Sophos iView.
Page | 34
B. Antivirus Configuration
Configure Antivirus from POP3 -> Antivirus
2. Configure Antivirus from Email Protection -> POP3 -> Antivirus as shown in below Figure.
Page | 35
C. AntiSpam Configuration
Configure AntiSpam from POP3 -> AntiSpam
3. Configure AntiSpam from Email Protection -> POP3 -> AntiSpam as shown in below Figure.
FIGURE: Configure AntiSpam (Email Protection -> POP3 -> AntiSpam)
Page | 36
You can find Sophos UTM Email Protection logs in Sophos iView at REPORTS -> Mail Usage as shown in
below Figure & Spam logs at REPORTS -> Spam as shown in below Figure.
FIGURE: Mail Usage Logs in Sophos iView.
Page | 37
Page | 38
Virus Logs
There are different types of Virus i.e. Web Virus, Mail Virus, FTP Virus. To generate all types of virus logs,
first download virus files in your system. Below is the link to download Virus files.
1) http://172.16.5.222/test/virus/
2) https://172.16.5.222/test/virus/
3) http://www.eicar.org
4) ftp://172.16.5.222
A. Web Virus
Web Virus
1. To generate Web Virus (http/https) you need to configure Web filtering from Web Protection
Module as described in Web Usage Logs above. Now download virus files from above links as
shown in below Figure.
FIGURE: Download Web Virus using above links
You can find Web Virus logs in Sophos iView at REPORTS -> Virus -> Web Virus as shown in below Figure.
Page | 39
B. Mail Virus
Mail Virus
2. To generate Mail Virus you need to configure Email Protection module as described in Mail
Usage & Spam Logs above. Now send/receive mail using virus files as an attachment as shown in
below Figure.
FIGURE: Send/Receive Mail Virus
You can find Mail Virus logs in Sophos iView at REPORTS -> Virus -> Mail Virus as shown in below Figure.
Page | 40
C. FTP Virus
FTP Virus
3. To generate FTP Virus, you need to configure FTP from Web Protection module as described in
FTP Usage Logs above. Now download/upload virus files in FTP server 172.16.5.222 as shown in
below Figure.
FIGURE: Download/Upload Virus files to FTP Server.
You can find FTP Virus logs in Sophos iView at REPORTS -> Virus -> FTP Virus as shown in below Figure.
Page | 41
Page | 42
www.google.com
http://search.yahoo.com
http://www.bing.com
http://www.wikipedia.org
http://search.rediff.com
http://www.ebay.com
You can find all search Engines logs in Sophos iView at REPORTS -> Search as shown in below four
Figures.
FIGURE: Bing Search Engine logs in Sophos iView
Page | 43
Page | 44
Page | 45
Attacks Logs
To generate Attacks logs follow below steps
1. Enable Intrusion Prevention (IPS) from Web Protection -> Intrusion Prevention -> Global -> Click
on Enable button as shown in below Figure.
FIGURE: Enable Intrusion Prevention.
2. After Enabling IPS with default configuration, start ping to any WAN IP address for continuously
for a short time. You can see the live logs in Sophos UTM as shown in below Figure.
FIGURE: Live logs of Intrusion Prevention.
You can find Intrusion Prevention logs of Sophos UTM in Sophos iView at REPORTS -> Attacks as shown
in below Figure.
Sophos iView Log Generation
Page | 46
Page | 47
WAF Logs
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an
HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting
(XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and
blocked.
To generate WAF logs follow below steps
1. Create New Virtual Webserver from Webserver Protection -> Web Application Firewall
2. Access http/https page as per the policy define above.
2. Click on New Virtual Webserver from Webserver Protection -> Web Application Firewall
3. Fill the details like Name, Interface=Internal (Address), Type=Plaintext (HTTP), Port=80.
4. To add domain click on + & fill the domain. Here the domain is LAN side IP Address of Sophos
UTM as shown in below Figure.
Page | 48
5. Now to create New Real Webservers, Click on + & It will open new windows as shown in below
Figure.
FIGURE: Create New Real Webserver
6. Now in Create Real Webserver windows fill the details Name. Now to add Host click on + to
create new Host records as shown in below Figure.
Page | 49
7. Fill the details like Name, select Type=Host, IPV4 Address= 180.179.100.102 as shown in below
Figure.
FIGURE: Configure Network Definition parameter
8. Click on save. Now again click save in Create Real Webserver windows. Now Tick on checkbox
Webserver in Real Webservers filed & fill other details as shown in below Figure. Click on save.
Page | 50
10. Access http/https page as per the policy define above using http://10.20.22.131.
11. You can see live logs of Sophos UTM as shown in below Figure.
Page | 51
You can find WAF logs in Sophos iView at REPORTS -> WAF as shown in below Figure.
FIGURE: WAF logs in Sophos iView
Page | 52
VPN Logs
There are three types of logs available in Sophos iView for VPN
1.
2.
3.
A. PPTP
Remote Access -> PPTP Configuration
To generate Top PPTP Users logs we need to configure Remote Access -> PPTP from Sophos UTM.
Note: For Generating PPTP/L2TP VPN logs from QA Network i.e. 10.20.20.0/22, Your system
from which you are establishing VPN Connection must have Gateway IP Address as 10.20.20.15
Below procedure describe the configuration of PPTP and how to generate the logs.
1. Enable PPTP remote access by clicking on toggle switch as shown in below Figure.
FIGURE: Enable PPTP remote access in Sophos UTM
2. Browse Users & Groups then drag & drop users for PPTP authentication and configure other
parameter & click apply as shown in below Figures.
Page | 53
Page | 54
4. Click on Set up a new connection or network -> it will open another window as shown in
below Figure for setting up connection. Choose a network option Connect to a workplace &
click next.
FIGURE: VPN adapter configuration steps_1
5. It will open another window as shown in below Figure. Now click on Use my Internet
connection (VPN).
Page | 55
6. It will open another window as shown in below Figure. Now Configure WAN IP Address of
Sophos UTM (172.16.6.131) as Internet address & do tick mark on last checkbox - Dont connect
now; just set it up so I can connect later. Click Next
FIGURE: VPN adapter configuration steps_3
Page | 56
7. Fill the details for authentication of user as shown in below Figure. Click on Create.
FIGURE: VPN adapter configuration steps_4
9. New VPN Connection is created in Network Connections as shown in below Figure. Right click on
VPN Connection and open its properties.
Sophos iView Log Generation
Page | 57
10. Go to Security Tab & Configure all parameter as shown in below Figure. Click OK.
FIGURE: VPN adapter Properties
11. Now Go to Network Connections & connect VPN Connection by right clicking on VPN Connection
& click on Connect. Give username & Password to connect to PPTP VPN.
Page | 58
You can find live logs of PPTP VPN Connection in Sophos UTM as shown in below Figure.
FIGURE: Live logs of PPTP user authentication in Sophos UTM
Page | 59
You can find PPTP remote access logs of Sophos UTM in Sophos iView at REPORTS -> VPN -> Top PPTP
Users as shown in below Figure.
FIGURE: PPTP user logs in Sophos iView
B. L2TP
Remote Access -> L2TP over IPsec Configuration
To generate Top L2TP Users logs we need to configure Remote Access -> L2TP over IPsec from Sophos
UTM.
Note: For Generating PPTP/L2TP VPN logs from QA Network i.e. 10.20.20.0/22, Your system
from which you are establishing VPN Connection must have Gateway IP Address as 10.20.20.15
Below procedure describe the configuration of L2TP over IPsec and how to generate the logs.
1. Enable L2TP over IPsec remote access by clicking on toggle switch as shown in below Figure.
2. Configure Interface: eth1 (WAN Interface), Authentication Mode=Preshared Key, Preshared Key
& Default Pool Network=VPN Pool (L2TP) as shown in below Figure. Click Apply
Page | 60
3. Configure Authentication via=Local and drag & drop the users in Users & Groups box as shown
in above Figure. Click on Apply button.
Page | 61
6. Now click on Advance Setting of L2TP/IPSec (See below Figure for Advance Properties) and
configure same preshared key that was earlier configured in Sophos UTM & Click Ok & again
click ok to save VPN Connection Properties setting.
FIGURE 95: Advance Properties of L2TP/IPSec Connection
7. Now right click on L2TP VPN Connection & connect the L2TP after giving username & Password
as shown in below Figure
FIGURE: Connect L2TP/IPsec Connection
You can find L2TP users logs in Sophos iView at REPORTS -> VPN -> Top L2TP Users
Page | 62
C. IPsec
Site-to-site -> IPsec Configuration
To generate Top IPsec Connections logs we need to configure site-to-site -> IPsec from Sophos UTM.
Note: In current version of Sophos iView, it is not possible to display remote access IPsec
connection logs due to bug in Sophos iView so we will configure site-to-site IPsec in Sophos UTM
for log generation.
To generate site-to-site IPsec logs we will use below configuration details.
A
Page | 63
Below procedure describe the configuration steps of site-to-site IPsec and how to generate the logs.
Here we will explain configuration process for Sophos UTM 1 & we need to follow same configuration
process for Sophos UTM 2 as per configuration details defined above.
1. Add Additional Addresses (192.168.10.1/24) to LAN interface of Sophos UTM 1 as described
below.
a. Go to Interfaces & Routing -> Interfaces -> Additional Interfaces. Click on New additional
address.
b. Fill the details as shown in below Figure. Click on save.
FIGURE: Add Additional LAN IP Address to LAN Interface
c. New additional address will create with disable status. Enable it by clicking on toggle
switch as shown in below Figure.
FIGURE: Additional Address on LAN Interface Sophos UTM 1.
Page | 64
d. Now create the additional address 10.10.10.1/24 for Sophos UTM 2 as shown in below
Figure.
FIGURE: Additional Address on LAN Interface Sophos UTM 2.
b. Fill the details like name=Sophos UTM2, Gateway Type=Respond only, Authentication
type=Preshared Key, Key=admin123, Repeat=admin123 as shown in below Figure.
Page | 65
c. Now to add remote networks which is LAN network of Sophos UTM2 i.e. 10.10.10.0/24
click on + button to add remote networks and fill the details as shown in below Figure.
FIGURE: Remote Gateway Creation Remote Networks Configuration
d. Click on Save to save network definitions tab. Remote Network IPsec UTM2 LAN is
added into Remote Networks tab. Click save to save the rule. Remote Gateway Sophos
UTM2 is created as shown in below Figure.
Page | 66
e. Create Remote Gateways Sophos UTM1 in Sophos UTM 2 as described above. Remote
Gateways Sophos UTM1 in Sophos UTM 2 is shown in below Figure.
FIGURE: Remote Gateways Sophos UTM1 in Sophos UTM 2.
3. Create new IPsec Connection in both UTM from site-to-site VPN -> IPsec -> Connections.
a. Go to site-to-site VPN -> IPsec -> Connections. Click on New IPsec Connection as shown
in below Figure.
Page | 67
Page | 68
d. Same way configure IPsec connection in Sophos UTM 2 as shown in below Figure.
FIGURE: IPsec Connection in Sophos UTM 2.
4. We have configured IPsec site-to-site connection in both UTM. Now we have to setup LAN
Network in both side of UTM & try to access network from one LAN to remote side LAN i.e. from
192.168.10.0/24 to 10.10.10.0/24 and vice versa.
a. Configure LAN IP address of physical machine of UTM 1 LAN to 192.168.10.10/24 with
gateway IP address 192.168.10.1 and ping 10.10.10.10 LAN IP of remote side LAN of
Sophos UTM 2 as shown in below Figure.
Page | 69
b. Same way configure LAN IP address of another physical machine of UTM 2 LAN Network
to 10.10.10.10/24 with gateway IP address 10.10.10.1/24 and ping 192.168.10.10 LAN IP
address of remote side LAN of Sophos UTM 1.
5. After disconnecting IPsec Connection from UTM you can find the IPsec connection logs in
Sophos iView at REPORTS -> VPN -> Top IPsec Connections as shown in below Figure.
Page | 70
Page | 71
2. Fill the required details like Profile name, select Users & Groups, Local Networks etc. as shown in
below Figure. Click on Save button.
Page | 72
4. Now configure Remote Access -> SSL -> Settings as shown in below Figure.
Page | 73
5.
Now configure Remote Access -> SSL -> Advanced as shown in below Figure.
6. Access User portal with user1 credential using link https://172.16.6.131 & download SSL VPN
Client which include complete installation package including client software, keys and automatic
configuration for Windows XP/Vista/7/8 from SSL VPN widget as shown in below Figure.
Page | 74
7. Install the complete installation package as per instructions provided at the link (open
installation instructions in new window) in SSL VPN widgets from Client Portal (see above
Figure).
8. After finishing installation of Sophos SSL VPN Client, the SSL VPN icon
task bar.
9. Double click the SSL VPN task bar icon to open the user authentication dialog box and give the
username and password to authenticate as shown in below Figure. In case you have more than
one connection specified, right-click the icon to open a list of available connections.
FIGURE: Connecting to the VPN using user1
The connection status is indicated by the SSL VPN icon: disconnected ( ) and connected ( ).
10. Generate some traffic and disconnect the SSL VPN connection by clicking Disconnect in the
context menu of the task bar icon.
You can see the live logs in Sophos UTM for SSL VPN Client as shown in below Figure.
Page | 75
You can see the Remote access SSL VPN connection logs in sophos iView at REPORTS -> SSL VPN as
shown in below Figure.
FIGURE: Remote Access SSL VPN logs in Sophos iView
Page | 76