How To Generate Sophos UTM Logs of Different Module For Sohpos IView

SOPHOS iView
Sophos iView
Log Generation
Sophos UTM Firmware Version: 9.209-8
Sophos iView Version: 1.000-11
Document Date: Wednesday, December 10, 2014
Author: Jignesh Patel

Cyberoam Technologies Pvt. Ltd.
Cyberoam House, Sai Gulshan Building, Opp. Sanskruti,
Beside White House, Panchawati Cross Road,
Ambawadi, Ahmedabad-38006, Gujarat, INDIA.
Sophos iView Log Generation
Page | 1
Contents
1) Introduction ..................................................................................................................................... 3
2) Basic Prerequisite Configuration ..................................................................................................... 4
3) Firewall Rule Based Usage Logs ..................................................................................................... 15
4) Web Usage Logs ............................................................................................................................ 21
5) Blocked Web Attempts Logs .......................................................................................................... 26
6) Blocked Applications Logs .............................................................................................................. 28
7) FTP Usage Logs............................................................................................................................... 32
8) Mail Usage & Spam Logs ................................................................................................................ 35
9) Virus Logs ....................................................................................................................................... 39
10) Search Engine Logs......................................................................................................................... 43
11) Attacks Logs46
12) WAF Logs.48
13) VPN Logs..53
14) SSL VPN Logs.72
Page | 2
Introduction
This document describes the method of generating logs in Sophos iView for different modules
of Sophos UTM. This document describe step by step configuration of Sophos UTM for each
modules to generate the logs of the same modules in Sophos iView.
This document is prepared based on Sophos UTM Firmware Version: 9.209-8, Pattern Version:
70611 and Sophos iView Version: 1.000-11.
Page | 3
Basic Prerequisite Configuration

Sophos UTM Side Configuration
A. Sophos UTM Dashboard
Sophos UTM Dashboard
Following prerequisite should be configured in Sophos UTM Dashboard
1. LAN & WAN Interfaces should be in Up state.
FIGURE: Sophos UTM Dashboard
Page | 4
B. Management
Management -> System Settings -> Organizational
As shown in below Figure, Organizational Information should be configured.
FIGURE: System Setting -> Organizational
Management -> System Settings -> Scan settings

As shown in below Figure, Select Sophos or Avira Antivirus as a Single Scan Engine. In this case it is
Sophos.
FIGURE: System Setting -> Scan Settings
Page | 5
Management -> Licensing

As shown in below Figures, UTM should have license for all modules in order to generate appropriate
logs in Sophos iView.
FIGURE: System Setting -> Licensing_Image1
FIGURE: System Setting -> Licensing_Image2
Page | 6
Management -> User Portal

As shown in below Figure (Global View), make sure that Allow all users have tick mark on checkbox to
allow all users to access user portal from https://IP Address:443 where IP address is the IP Address of
Sophos UTM that is configured at Management -> User Portal -> Advanced -> Network Settings -> Listen
Address as shown in below Figure (Advanced View).
FIGURE: System Setting -> User Portal Global View.
FIGURE: System Setting -> User Portal Advanced View.
Page | 7
C. Definitions & Users

Definitions & Users -> Network Definitions
As shown in below Figures Network Definitions shows all hosts, networks which are created by
system/administrator in Sophos UTM during any policy/rules creation in different modules.
We will create necessary hosts/networks during policy/rule creation in appropriate modules so you do
not need to configure anything here. For example host 10.20.21.153 & 10.20.21.154 is created for
Sophos iView (Logging & Reporting -> Log setting -> Remote Syslog Server in Sophos UTM).
FIGURE: Network Definitions_Image1
FIGURE: Network Definitions_Image2
Page | 8
Definitions & Users -> Service Definitions

As shown in below Figure, Service Definitions shows all services which are created by
system/administrator in Sophos UTM during any policy/rules creation in different modules.
We will create necessary services during policy/rule creation in appropriate modules so you do not need
to configure anything here. For example service with service name =514 is created for Sophos iView
Syslog server UDP port 514 while creating remote syslog server from Logging & Reporting -> Log setting > Remote Syslog Server in Sophos UTM.
FIGURE: Service Definitions
Definitions & Users -> Users & Groups

To create Users, Follow below steps.
1. Go to Definitions & Users -> Users & Groups -> Click on New user button as shown in below
Figure.
Page | 9
FIGURE: New User creation
2. Fill the details like Username, Real Name, Email Address, Authentication= Local, Password &
Click on save as shown in below Figure.
Note: For testing purpose we have selected authentication method as Local but you can
select other authentication method also.
FIGURE: Fill new user details
Page | 10
3. New user will created as shown in below Figure.

FIGURE: New user created
D. Interfaces & Routing

Interfaces & Routing -> Interfaces
LAN & WAN interfaces should be configured properly as shown in below Figure. LAN interface is eth0 &
WAN interface is eth1.
FIGURE: LAN, WAN Interfaces
Page | 11
E. Network Protection
Network Protection -> Firewall
Firewall rule must be configured to allow/deny traffic from internal network to outside network i.e.
internet network. To generate logs we can create only one rules i.e. Rule 6 to allow any traffic from
source network to destination network as shown in below Figure.
Method to create the Rule is described in Firewall Rule Based Usage Logs -> Firewall rule to allow traffic.
Click here to go to the steps. Same way create rule 6.
Rule 4 is for allowing traffic from internal network to any destination network. Rule 5 is for Wireless
Guest Network to allow web traffic to internal IPv4 network. Rule 6 is for all other traffic to allow from
any source network to any destination network like IPsec VPN, SSL VPN, PPTP VPN and L2TP VPN etc...
FIGURE: Firewall Rule
Page | 12
Network Protection -> NAT

NAT rule must be configured to access outside network from internal network. To create NAT rule follow
below steps.
Go to Network Protection -> NAT -> Masquerading
Click on New Masquerading rule
Fill the details Network=Internal (Network), Position=Top, Interface=eth1 Intel Corporation I210 Gigabit
Network Connection and click on save button. Rule will be created as shown in below Figure.
FIGURE: NAT Rule
Page | 13
Sophos iView Side Configuration

Sophos iView Configuration
Sophos iView Server should be configured properly using https://ipaddress:4444 (Figure Sophos iView
Setup) and accessible via http://ip address:8000 where ip address is the IP Address of Sophos iView
Server (Figure Sophos iView Login Page). There should be connectivity between Sophos UTM and
Sophos iView.
FIGURE: Sophos iView Setup
FIGURE: Sophos iView Login Page
Page | 14
Firewall Rule Based Usage Logs

To generate Firewall Rule Based Usage Logs, Firewall Rule in Sophos UTM need to be configured in two
different ways i.e. to allow all traffic from internal network to Internet & to deny all traffic from internal
network to Internet.
Below widgets logs from Firewall Rule Based Usage in Sophos iView can be generated by configuring
Firewall Rule in Sophos UTM to allow all traffic from internal network to Internet.
1.
2.
3.
4.
Top Accept Rules

Top Accept Rules Application Category Wise
Top Accept Rules Host Wise
Top Accept Rules Destination Wise
Below widgets logs from Firewall Rule Based Usage in Sophos iView can be generated by configuring
Firewall Rule in Sophos UTM to deny all traffic from internal network to Internet.
1.
2.
3.
4.
Top Deny Rules

Top Deny Rules Application Category Wise
Top Deny Rules Host Wise
Top Deny Rules Destination Wise
Now to configure Firewall Rule in Sophos UTM in two different ways follows below steps
1.
2.
3.
4.
5.
Go to Network Protection -> Firewall

Create New rule to allow all traffic from internal network to Internet
Generate some traffic to generate Allow traffic logs in Firewall Rule Based Usage
Edit the policy that is created in 2nd step to deny all traffic from internal network to Internet
Generate some traffic to generate Deny traffic logs in Firewall Rule Based Usage
A. Firewall Rule to allow Traffic

Firewall Rule to allow traffic
Now to configure Firewall Rule in Sophos UTM to allow traffic, follow below steps
1. Go to Network Protection -> Firewall -> Rules.
2. Click on New rule -> it will open windows as shown in below Figure.
Page | 15
FIGURE: Click on New rule (Network Protection -> Firewall -> Rules)
3. Configure Position=Top. Now to configure Sources, Services and Destination click on Browse
button (located near + button) and select appropriate configuration as shown in below Figure.
Configure Action=Allow, Enable Log traffic by tick mark on check box.
FIGURE: Configure Firewall Rule
Page | 16
4. Save the Rule -> it will create rule in disable status as shown in below Figure.
FIGURE: New rule created with rule no. 5 in disable status
5. Enable the rules by clicking on Enable button as shown in below Figure.

FIGURE: Enable rule 5 to allow traffic to pass
6. Generate some Web traffic as described in Web Usage Logs.

You can find Firewall Rule Based Usage logs for allow traffic in Sophos iView at REPORTS -> Firewall
Rule Based Usage as shown in below Figure.
Page | 17
FIGURE: Firewall Rule Based Usage Logs in Sophos iView for Allow Traffic (Left side widgets)
B. Firewall Rule to Deny Traffic

Now to configure Firewall Rule in Sophos UTM to deny traffic follow below steps
1. Go to Network Protection -> Firewall -> Rules.
2. Click on Edit button on rule 5 (See Figure Enable rule 5 to allow traffic to pass) -> It will open
edit windows as shown in below Figure.
FIGURE: Edit Firewall Rule to deny all traffic
Page | 18
3. Now to edit Action=Drop, click on Action dropdown list & select Drop. See below Figure.
FIGURE: Select Action=Drop to deny traffic
4. Click on save. You will get the Rule 5 as shown in below Figure.
FIGURE: Rule no. 5 to deny all traffic.
Page | 19
5. Generate some web/application traffic from Sophos UTM.

You can find Firewall Rule Based Usage logs for deny traffic in Sophos iView at REPORTS -> Firewall
Rule Based Usage.
FIGURE: Firewall Rule Based Usage Logs in Sophos iView for deny Traffic (Right side widgets)
Page | 20
Web Usage Logs

To generate Web Usage logs in Sophos iView we need to configure Web Protection Modules in Sophos
UTM.
Below are the steps of Web Protection Module configuration for Web Usage logs generation in Sophos
iView.
1. Enable Web Filtering from Global view. See below Figure.
2. Create web filtering policies from Web Protection -> Web Filtering -> Policies
3. Create Web Filter Profiles
Enable Web Filtering

FIGURE: Enable Web Filtering (Web Filtering -> Global)
Now Make Policy to apply different Filtering Actions to specific users, groups or time periods. Follow
below process for adding Web Filtering Policy.
1. Go to Web Filtering -> Policies.
2. Click on + button to add policy.
3. Add following details Name, Users/Groups, Time Event, Filter Actions (Default Filter Action is
configured here) as shown in below Figure.
Page | 21
FIGURE: Create Web Filtering Policies (Web Filtering -> Policies)
4. Save the setting.

5. You will get windows as shown in below Figure.
FIGURE: New Web Filtering Policies in disable state (Web Filtering -> Policies)
6. Enable/Activate the Policy after clicking on the button provided at Policy Name. See below
Figure.
Page | 22
FIGURE: Enable Web Filtering Policies (Web Filtering -> Policies)
Web Filtering Profile

Now Create Web Filter Profiles to apply different set of policies to each network.
To create Web Filtering Profiles,
1. Go to Web Filter Profiles -> Filter Profiles
2. Click on + button to create new profile.
3. Add details as shown in below Figure.
FIGURE: Create Web Filter Profile (Web Filter Profiles -> Filter Profiles)
Page | 23
4. Click on Next
5. Enable Policies Policy1 as shown in below Figure.
FIGURE: Enable Web Filtering Policies Policy1 (Web Filter Profiles -> Filter Profiles)
6. Save the setting. Profile1 will be created as shown in below Figure.

FIGURE: Web Filter Profile Creation (Web Filter Profiles -> Filter Profiles)
7. Generate some web traffic & you will get live logs (Web Protection -> Web Filtering -> Global ->
Click on Open live log tab) as shown in below Figure.
Page | 24
FIGURE: Live Log of Sophos UTM Web Filtering after generating Web Traffic from Sophos UTM
You can find Sophos UTM web filtering logs in Sophos iView at REPORTS -> Web Usage as shown in
below Figure.
FIGURE: Web Usage logs in Sophos iView.
Page | 25
Blocked Web Attempts Logs

Web Filtering Policy for Blocked Web Attempts Logs Generation
We can generate logs for Blocked Web Attempts by editing Web Filtering policies Policy1 that we have
created as discussed in Web Filtering Policy.
To edit the policy,
1. Go to Web Protection -> Web Filtering -> Policies -> Click on Policy1
2. Select Filter Action -> Default content filter block action. See below Figure.
FIGURE: Edit Web Filtering Policies Policy1 (Web Filtering -> Policies)
3. Save the setting -> Click OK. See below Figure.

FIGURE: Edit Web Filtering Policies (Web Filtering -> Policy)
Page | 26
4. Updated Policy1 will be displayed as shown in below Figure.

FIGURE: Web Filtering Policies (Web Filtering -> Policies)
5. Generate some Web Traffic.

You can find Sophos UTM Web filtering Policies traffic in Sophos iView at REPORTS -> Blocked Web
Attempts as shown in below Figure.
FIGURE: Blocked Web Attempts Logs in Sophos iView
Page | 27
Blocked Applications Logs

To generate Blocked Application logs in Sophos iView we need to configure Web Protection ->
Application Control Modules in Sophos UTM.
Below are the steps of Application Control Module configuration for Blocked Applications logs
generation in Sophos iView.
1. Enable Application Control as shown in below Figure from Web Protection -> Application Control
-> Network Visibility.
2. Create Application Control Rules from Web Protection -> Application Control -> Application
Control Rules.
3. Generate some traffic for different Application
Note: All other settings are same as default
A. Enable Application Control

Enable Network Visibility from Application Control
FIGURE: Enable Application Control (Application Control -> Network Visibility)
B. Create Application Control Rules

Create Application Control Rules
1. Click on New Rules from Application Control Rules. Fill the required details like Name, Group,
Position, Action=Block, Control By=Application as shown in below Figure.
Page | 28
FIGURE: Details of Application Control Rules
2. Click on Control this Application & select all those application that you want to block. Here we
have selected all application for log generations as shown in below Figure and then click on
apply.
FIGURE: Select All Application to Control
3. Click on save button to save the rule as shown in below Figure.
Page | 29
FIGURE: Settings of Application Control Rules to Block Traffic
4. After saving & creating new rule, you can see the new rule as shown in below Figure.
FIGURE: Application Control Rules to Block Application Traffic
5. Now generate some traffic for some application & click on open live logs from Web Protection ->
Application Control -> Application Control Rules & you will get results as shown in below Figure.
Note: As shown in below figure, all Blocked application traffic is falling under Application Control
Rule # 1 because we have created only one rule with rule ID # 1. If you want to create logs with
different Application Control Rule ID other than Rule ID=1 then multiple Application Control
Rules should be configured in Sophos UTM for different applications as per requirement.
Page | 30
C. Live Blocked Application Logs

FIGURE: Live Logs for Blocked Application
You can find Sophos UTM Application Control traffic in Sophos iView at REPORTS -> Blocked Application
as shown in below Figure.
FIGURE: Blocked Application logs in Sophos iView
Page | 31
FTP Usage Logs

Below are the steps of FTP Module configuration for FTP Usage logs generation in Sophos iView
A. Enable FTP Proxy

Enable FTP Proxy
1. Enable FTP Proxy from Web Protection -> FTP -> Global View as shown in below Figure.
FIGURE: Enable FTP Proxy (FTP -> Global)
B. Antivirus Configuration
Antivirus Configuration
2. Configure Antivirus from Web Protection -> FTP -> Antivirus as shown in below Figure.
Page | 32
FIGURE: Antivirus Configuration (FTP -> Antivirus)
3. Generate FTP logs.

Note: All other settings for FTP module in Sophos UTM are same as default.
Now generate some traffic for FTP & click on open live logs from Web Protection -> FTP -> Global. You
will get results as shown in below Figure.
C. Live FTP Logs

Live FTP Logs
FIGURE: Live logs for FTP File Transfer
Page | 33
You can find Sophos UTM Application Control traffic in Sophos iView at REPORTS -> Blocked Application
as shown in below Figure.
FIGURE: FTP Usage logs in Sophos iView.
Page | 34
Mail Usage & Spam Logs

There are two types of configuration available for Email Protection i.e. SMTP & POP3. Due to bug in
Sophos UTM, we are not able to generate the SMTP logs in Sophos iView so here I will explain
configuration related to POP3 Protocol. Below are the steps of Email Protection -> POP3 Module
configuration for Mail Usage & Spam logs generation in Sophos iView.
A. Enable POP3 Proxy

Enable POP3 Proxy
1. Enable POP3 Proxy from Email Protection -> POP3 -> Global View. Also configured allowed
networks as shown in below Figure.
FIGURE: Enable POP3 Proxy (Email Protection -> POP3 -> Global)
B. Antivirus Configuration
Configure Antivirus from POP3 -> Antivirus
2. Configure Antivirus from Email Protection -> POP3 -> Antivirus as shown in below Figure.
Page | 35
FIGURE: Configure Antivirus (Email Protection -> POP3 -> Antivirus)
C. AntiSpam Configuration
Configure AntiSpam from POP3 -> AntiSpam
3. Configure AntiSpam from Email Protection -> POP3 -> AntiSpam as shown in below Figure.
FIGURE: Configure AntiSpam (Email Protection -> POP3 -> AntiSpam)
4. Generate POP3 (Email Download test) & Spam Email logs.

Note: All other settings for Email Protection module in Sophos UTM are same as default.
Page | 36
D. Live Mail Usage & Spam Logs

Live Mail Usage & Spam Logs
FIGURE: Live Mail Usage & Spam Logs
You can find Sophos UTM Email Protection logs in Sophos iView at REPORTS -> Mail Usage as shown in
below Figure & Spam logs at REPORTS -> Spam as shown in below Figure.
FIGURE: Mail Usage Logs in Sophos iView.
Page | 37
FIGURE: Spam Logs in Sophos iView.
Page | 38
Virus Logs
There are different types of Virus i.e. Web Virus, Mail Virus, FTP Virus. To generate all types of virus logs,
first download virus files in your system. Below is the link to download Virus files.
1) http://172.16.5.222/test/virus/
2) https://172.16.5.222/test/virus/
3) http://www.eicar.org
4) ftp://172.16.5.222
A. Web Virus
Web Virus
1. To generate Web Virus (http/https) you need to configure Web filtering from Web Protection
Module as described in Web Usage Logs above. Now download virus files from above links as
shown in below Figure.
FIGURE: Download Web Virus using above links
You can find Web Virus logs in Sophos iView at REPORTS -> Virus -> Web Virus as shown in below Figure.
Page | 39
FIGURE: Web Virus logs in Sophos iView
B. Mail Virus
Mail Virus
2. To generate Mail Virus you need to configure Email Protection module as described in Mail
Usage & Spam Logs above. Now send/receive mail using virus files as an attachment as shown in
below Figure.
FIGURE: Send/Receive Mail Virus
You can find Mail Virus logs in Sophos iView at REPORTS -> Virus -> Mail Virus as shown in below Figure.
Page | 40
FIGURE: Mail Virus logs in Sophos iView
C. FTP Virus
FTP Virus
3. To generate FTP Virus, you need to configure FTP from Web Protection module as described in
FTP Usage Logs above. Now download/upload virus files in FTP server 172.16.5.222 as shown in
below Figure.
FIGURE: Download/Upload Virus files to FTP Server.
You can find FTP Virus logs in Sophos iView at REPORTS -> Virus -> FTP Virus as shown in below Figure.
Page | 41
FIGURE: FTP Usage logs in Sophos iView
Page | 42
Search Engine Logs

There are 6 types of Search Engine logs display by Sophos iView i.e. Google Search, Yahoo Search, Bing
Search, Wikipedia Search, Rediff Search and eBay Search.
In current version of Sophos iView it is not possible to display Google & Yahoo Search Engine logs due to
bug in current version of Sophos UTM.
For generating Search Engine Logs open below links & Search appropriate words.
1)
2)
3)
4)
5)
6)
www.google.com
http://search.yahoo.com
http://www.bing.com
http://www.wikipedia.org
http://search.rediff.com
http://www.ebay.com
You can find all search Engines logs in Sophos iView at REPORTS -> Search as shown in below four
Figures.
FIGURE: Bing Search Engine logs in Sophos iView
Page | 43
FIGURE: Wikipedia Search Engine logs in Sophos iView
FIGURE: Rediff Search Engine logs in Sophos iView
Page | 44
FIGURE: eBay Search Engine logs in Sophos iView
Page | 45
Attacks Logs
To generate Attacks logs follow below steps
1. Enable Intrusion Prevention (IPS) from Web Protection -> Intrusion Prevention -> Global -> Click
on Enable button as shown in below Figure.
FIGURE: Enable Intrusion Prevention.
2. After Enabling IPS with default configuration, start ping to any WAN IP address for continuously
for a short time. You can see the live logs in Sophos UTM as shown in below Figure.
FIGURE: Live logs of Intrusion Prevention.
You can find Intrusion Prevention logs of Sophos UTM in Sophos iView at REPORTS -> Attacks as shown
in below Figure.
Page | 46
FIGURE: Intrusion Prevention logs in Sophos iView
Page | 47
WAF Logs
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an
HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting
(XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and
blocked.
To generate WAF logs follow below steps
1. Create New Virtual Webserver from Webserver Protection -> Web Application Firewall
2. Access http/https page as per the policy define above.
Configure New Virtual Webserver

1. Go to Webserver Protection -> Web Application Firewall as shown in below Figure.
FIGURE: Web Application Firewall View
2. Click on New Virtual Webserver from Webserver Protection -> Web Application Firewall
3. Fill the details like Name, Interface=Internal (Address), Type=Plaintext (HTTP), Port=80.
4. To add domain click on + & fill the domain. Here the domain is LAN side IP Address of Sophos
UTM as shown in below Figure.
Page | 48
FIGURE: Click on New Virtual Webserver
5. Now to create New Real Webservers, Click on + & It will open new windows as shown in below
Figure.
FIGURE: Create New Real Webserver
6. Now in Create Real Webserver windows fill the details Name. Now to add Host click on + to
create new Host records as shown in below Figure.
Page | 49
FIGURE: Add Network Definition
7. Fill the details like Name, select Type=Host, IPV4 Address= 180.179.100.102 as shown in below
Figure.
FIGURE: Configure Network Definition parameter
8. Click on save. Now again click save in Create Real Webserver windows. Now Tick on checkbox
Webserver in Real Webservers filed & fill other details as shown in below Figure. Click on save.
Page | 50
FIGURE: Configure New Virtual Webserver Details
9. Now Enable Virtual Webserver Webserver as shown in below Figure.

FIGURE: Enable Virtual Webserver
10. Access http/https page as per the policy define above using http://10.20.22.131.
11. You can see live logs of Sophos UTM as shown in below Figure.
Page | 51
FIGURE: Live logs of WAF in Sophos UTM
You can find WAF logs in Sophos iView at REPORTS -> WAF as shown in below Figure.
FIGURE: WAF logs in Sophos iView
Page | 52
VPN Logs
There are three types of logs available in Sophos iView for VPN
1.
2.
3.
Top IPSec Connections

Top L2TP Users
Top PPTP Users
A. PPTP
Remote Access -> PPTP Configuration
To generate Top PPTP Users logs we need to configure Remote Access -> PPTP from Sophos UTM.
Note: For Generating PPTP/L2TP VPN logs from QA Network i.e. 10.20.20.0/22, Your system
from which you are establishing VPN Connection must have Gateway IP Address as 10.20.20.15
Below procedure describe the configuration of PPTP and how to generate the logs.
1. Enable PPTP remote access by clicking on toggle switch as shown in below Figure.
FIGURE: Enable PPTP remote access in Sophos UTM
2. Browse Users & Groups then drag & drop users for PPTP authentication and configure other
parameter & click apply as shown in below Figures.
Page | 53
FIGURE: Configure PPTP Global View
FIGURE: Configure PPTP Advanced View
PPTP VPN Configuration in Windows Machine

3. In Windows 7 Professional Machine, go to Control Panel -> Network and Internet -> Network
and Sharing Center as shown in below Figure.
Page | 54
FIGURE: Network Configuration in Windows 7.
4. Click on Set up a new connection or network -> it will open another window as shown in
below Figure for setting up connection. Choose a network option Connect to a workplace &
click next.
FIGURE: VPN adapter configuration steps_1
5. It will open another window as shown in below Figure. Now click on Use my Internet
connection (VPN).
Page | 55
6. It will open another window as shown in below Figure. Now Configure WAN IP Address of
Sophos UTM (172.16.6.131) as Internet address & do tick mark on last checkbox - Dont connect
now; just set it up so I can connect later. Click Next
Page | 56
7. Fill the details for authentication of user as shown in below Figure. Click on Create.
8. It will open window as shown in below Figure. Click Close.

9. New VPN Connection is created in Network Connections as shown in below Figure. Right click on
VPN Connection and open its properties.
Page | 57
FIGURE: VPN Connection
10. Go to Security Tab & Configure all parameter as shown in below Figure. Click OK.
FIGURE: VPN adapter Properties
11. Now Go to Network Connections & connect VPN Connection by right clicking on VPN Connection
& click on Connect. Give username & Password to connect to PPTP VPN.
Page | 58
FIGURE: Connect PPTP VPN
You can find live logs of PPTP VPN Connection in Sophos UTM as shown in below Figure.
FIGURE: Live logs of PPTP user authentication in Sophos UTM
Page | 59
You can find PPTP remote access logs of Sophos UTM in Sophos iView at REPORTS -> VPN -> Top PPTP
Users as shown in below Figure.
FIGURE: PPTP user logs in Sophos iView
B. L2TP
Remote Access -> L2TP over IPsec Configuration
To generate Top L2TP Users logs we need to configure Remote Access -> L2TP over IPsec from Sophos
UTM.
Note: For Generating PPTP/L2TP VPN logs from QA Network i.e. 10.20.20.0/22, Your system
from which you are establishing VPN Connection must have Gateway IP Address as 10.20.20.15
Below procedure describe the configuration of L2TP over IPsec and how to generate the logs.
1. Enable L2TP over IPsec remote access by clicking on toggle switch as shown in below Figure.
2. Configure Interface: eth1 (WAN Interface), Authentication Mode=Preshared Key, Preshared Key
& Default Pool Network=VPN Pool (L2TP) as shown in below Figure. Click Apply
Page | 60
FIGURE: Enable L2TP over IPsec remote access in Sophos UTM
3. Configure Authentication via=Local and drag & drop the users in Users & Groups box as shown
in above Figure. Click on Apply button.
L2TP VPN Configuration in Windows Machine

4. Open VPN Connection Properties
5. After opening VPN Connection properties go to Security Tab & Configure Type of VPN =
L2TP/IPSec as shown in below Figure.
FIGURE 94: Edit VPN Connection Properties
Page | 61
6. Now click on Advance Setting of L2TP/IPSec (See below Figure for Advance Properties) and
configure same preshared key that was earlier configured in Sophos UTM & Click Ok & again
click ok to save VPN Connection Properties setting.
FIGURE 95: Advance Properties of L2TP/IPSec Connection
7. Now right click on L2TP VPN Connection & connect the L2TP after giving username & Password
as shown in below Figure
FIGURE: Connect L2TP/IPsec Connection
You can find L2TP users logs in Sophos iView at REPORTS -> VPN -> Top L2TP Users
Page | 62
FIGURE: L2TP Users logs in Sophos iView
C. IPsec
Site-to-site -> IPsec Configuration
To generate Top IPsec Connections logs we need to configure site-to-site -> IPsec from Sophos UTM.
Note: In current version of Sophos iView, it is not possible to display remote access IPsec
connection logs due to bug in Sophos iView so we will configure site-to-site IPsec in Sophos UTM
for log generation.
To generate site-to-site IPsec logs we will use below configuration details.
A
Two Sophos UTM for site-to-site configuration

1 UTM 1 IP Address: 10.20.22.131/22
2 UTM 2 IP Address: 10.20.22.133/22
LAN IP Network
1 UTM 1 LAN IP Network: 192.168.10.0/24
2 UTM 2 LAN IP Network: 10.10.10.0/24
WAN IP Address of Sophos UTM
1 UTM 1 WAN IP Address: 172.16.6.131/22
2 UTM 2 WAN IP Address: 172.16.5.133/22
Sophos UTM LAN IP Address:
1 UTM 1 LAN IP Address: 192.168.10.1/24 & 10.20.22.131/22
2 UTM 2 LAN IP Address: 10.10.10.1/24 & 10.20.22.133/22
Physical Machine IP Address of LAN Network of both UTM.
1 UTM 1 LAN Networks Machine IP Address: 192.168.10.10/24 with Gateway IP Address:
192.168.10.1
2 UTM 2 LAN Networks Machine IP Address: 10.10.10.10/24 with Gateway IP Address:
10.10.10.1
Page | 63
Below procedure describe the configuration steps of site-to-site IPsec and how to generate the logs.
Here we will explain configuration process for Sophos UTM 1 & we need to follow same configuration
process for Sophos UTM 2 as per configuration details defined above.
1. Add Additional Addresses (192.168.10.1/24) to LAN interface of Sophos UTM 1 as described
below.
a. Go to Interfaces & Routing -> Interfaces -> Additional Interfaces. Click on New additional
address.
b. Fill the details as shown in below Figure. Click on save.
FIGURE: Add Additional LAN IP Address to LAN Interface
c. New additional address will create with disable status. Enable it by clicking on toggle
switch as shown in below Figure.
FIGURE: Additional Address on LAN Interface Sophos UTM 1.
Page | 64
d. Now create the additional address 10.10.10.1/24 for Sophos UTM 2 as shown in below
Figure.
FIGURE: Additional Address on LAN Interface Sophos UTM 2.
2. Now we need to create Remote Gateways on both Sophos UTM.

a. Go to site-to-site VPN -> IPsec -> Remote Gateways. Click on New Remote Gateways as
FIGURE: Add New Remote Gateways
b. Fill the details like name=Sophos UTM2, Gateway Type=Respond only, Authentication
type=Preshared Key, Key=admin123, Repeat=admin123 as shown in below Figure.
Page | 65
FIGURE: Create Remote Gateway in Sophos UTM 1
c. Now to add remote networks which is LAN network of Sophos UTM2 i.e. 10.10.10.0/24
click on + button to add remote networks and fill the details as shown in below Figure.
FIGURE: Remote Gateway Creation Remote Networks Configuration
d. Click on Save to save network definitions tab. Remote Network IPsec UTM2 LAN is
added into Remote Networks tab. Click save to save the rule. Remote Gateway Sophos
UTM2 is created as shown in below Figure.
Page | 66
FIGURE: Remote Gateways Sophos UTM2 in Sophos UTM 1.
e. Create Remote Gateways Sophos UTM1 in Sophos UTM 2 as described above. Remote
Gateways Sophos UTM1 in Sophos UTM 2 is shown in below Figure.
FIGURE: Remote Gateways Sophos UTM1 in Sophos UTM 2.
3. Create new IPsec Connection in both UTM from site-to-site VPN -> IPsec -> Connections.
a. Go to site-to-site VPN -> IPsec -> Connections. Click on New IPsec Connection as shown
in below Figure.
Page | 67
FIGURE: Create New IPsec Connection
b. Fill the details as shown in below Figure. Click on save.

FIGURE: Configure New IPsec Connection
c. New IPsec Connection is created and it is shown in below Figure.
Page | 68
FIGURE: New IPsec Connection in Sophos UTM 1.
d. Same way configure IPsec connection in Sophos UTM 2 as shown in below Figure.
FIGURE: IPsec Connection in Sophos UTM 2.
4. We have configured IPsec site-to-site connection in both UTM. Now we have to setup LAN
Network in both side of UTM & try to access network from one LAN to remote side LAN i.e. from
192.168.10.0/24 to 10.10.10.0/24 and vice versa.
a. Configure LAN IP address of physical machine of UTM 1 LAN to 192.168.10.10/24 with
gateway IP address 192.168.10.1 and ping 10.10.10.10 LAN IP of remote side LAN of
Sophos UTM 2 as shown in below Figure.
Page | 69
FIGURE: LAN IP Address of Physical Machine in UTM1 LAN Side.
b. Same way configure LAN IP address of another physical machine of UTM 2 LAN Network
to 10.10.10.10/24 with gateway IP address 10.10.10.1/24 and ping 192.168.10.10 LAN IP
address of remote side LAN of Sophos UTM 1.
5. After disconnecting IPsec Connection from UTM you can find the IPsec connection logs in
Sophos iView at REPORTS -> VPN -> Top IPsec Connections as shown in below Figure.
Page | 70
FIGURE: IPsec Connections logs in Sophos iView.
Page | 71
SSL VPN Logs

Remote Access -> SSL Configuration
To generate Top SSL VPN Users logs we need to configure Remote Access -> SSL from Sophos UTM.
To generate SSL VPN logs in Sophos iView, follow below steps to configure Remote Access -> SSL from
Sophos UTM.
1. Go to Remote Access -> SSL -> Profiles. Click on New remote access profile as shown in below
Figure.
FIGURE: New remote access SSL Profile Creation
2. Fill the required details like Profile name, select Users & Groups, Local Networks etc. as shown in
below Figure. Click on Save button.
Page | 72
FIGURE: Remote access SSL Profile Creation steps
3. New rule will be created as shown in below Figure.

FIGURE: New Remote access SSL Profile
4. Now configure Remote Access -> SSL -> Settings as shown in below Figure.
Page | 73
FIGURE: Remote Access -> SSL -> settings
5.
Now configure Remote Access -> SSL -> Advanced as shown in below Figure.
FIGURE: Remote Access -> SSL Advanced Setting
6. Access User portal with user1 credential using link https://172.16.6.131 & download SSL VPN
Client which include complete installation package including client software, keys and automatic
configuration for Windows XP/Vista/7/8 from SSL VPN widget as shown in below Figure.
Page | 74
FIGURE: SSL VPN Client Download
7. Install the complete installation package as per instructions provided at the link (open
installation instructions in new window) in SSL VPN widgets from Client Portal (see above
Figure).
8. After finishing installation of Sophos SSL VPN Client, the SSL VPN icon
task bar.
will be displayed in your
9. Double click the SSL VPN task bar icon to open the user authentication dialog box and give the
username and password to authenticate as shown in below Figure. In case you have more than
one connection specified, right-click the icon to open a list of available connections.
FIGURE: Connecting to the VPN using user1
The connection status is indicated by the SSL VPN icon: disconnected ( ) and connected ( ).
10. Generate some traffic and disconnect the SSL VPN connection by clicking Disconnect in the
context menu of the task bar icon.
You can see the live logs in Sophos UTM for SSL VPN Client as shown in below Figure.
Page | 75
FIGURE: Live logs of SSL VPN Client in Sophos UTM
You can see the Remote access SSL VPN connection logs in sophos iView at REPORTS -> SSL VPN as
FIGURE: Remote Access SSL VPN logs in Sophos iView
Page | 76

How To Generate Sophos UTM Logs of Different Module For Sohpos IView

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

How To Generate Sophos UTM Logs of Different Module For Sohpos IView

Cargado por

Copyright:

Formatos disponibles

SOPHOS iView

Author: Jignesh Patel

Sophos iView Log Generation

Sophos iView Log Generation

Sophos iView Log Generation

Basic Prerequisite Configuration

Sophos iView Log Generation

Management -> System Settings -> Scan settings

Sophos iView Log Generation

Management -> Licensing

FIGURE: System Setting -> Licensing_Image2

Sophos iView Log Generation

Management -> User Portal

FIGURE: System Setting -> User Portal Advanced View.

Sophos iView Log Generation

C. Definitions & Users

FIGURE: Network Definitions_Image2

Sophos iView Log Generation

Definitions & Users -> Service Definitions

Definitions & Users -> Users & Groups

Sophos iView Log Generation

FIGURE: New User creation

Sophos iView Log Generation

3. New user will created as shown in below Figure.

D. Interfaces & Routing

Sophos iView Log Generation

Sophos iView Log Generation

Network Protection -> NAT

Sophos iView Log Generation

Sophos iView Side Configuration

FIGURE: Sophos iView Login Page

Sophos iView Log Generation

Firewall Rule Based Usage Logs

Top Accept Rules

Top Deny Rules

Go to Network Protection -> Firewall

A. Firewall Rule to allow Traffic

Sophos iView Log Generation

Sophos iView Log Generation

5. Enable the rules by clicking on Enable button as shown in below Figure.

6. Generate some Web traffic as described in Web Usage Logs.

Sophos iView Log Generation

B. Firewall Rule to Deny Traffic

Sophos iView Log Generation

Sophos iView Log Generation

5. Generate some web/application traffic from Sophos UTM.

Sophos iView Log Generation

Web Usage Logs

Enable Web Filtering

Sophos iView Log Generation

FIGURE: Create Web Filtering Policies (Web Filtering -> Policies)

4. Save the setting.

Sophos iView Log Generation

FIGURE: Enable Web Filtering Policies (Web Filtering -> Policies)

Web Filtering Profile

Sophos iView Log Generation

6. Save the setting. Profile1 will be created as shown in below Figure.

Sophos iView Log Generation

Sophos iView Log Generation

Blocked Web Attempts Logs

3. Save the setting -> Click OK. See below Figure.

Sophos iView Log Generation

4. Updated Policy1 will be displayed as shown in below Figure.