How to check logs in sophos xg firewall Best Regards,Bhavesh#sophoslogs#Logs#checklogs#checkEvents I am running 17. I suspect there are CLI commands, but I do not know them. I need to recover blocked network traffic logs from about a week ago. I would like to how to check if Sophos Firewall is blocking ports on a website or application? And how to check or identify that port being blocked, thanks! This thread was automatically locked Hi Michael007 SYN/TCP Flood: A SYN flood is when a host sends a flood of TCP/SYN packets, often with a forged sender address. Discussions IPS and Flood Protection logs always empty Can you Under the Log Settings tab, you should have a column labeled splunk, check all of the event types you would like to send to the splunk server and click Apply. Follow this KB Article to SSH To access the Shell, SSH into Sophos and select option 5. I am doing same thing which u have suggested but problem I suffered doing that is,-When I trying to generate report based on user name, I can They also include user accounts stored on Sophos Firewall. See Log viewer. I see that there are a lot of people asking for an update Sophos Firewall: Troubleshooting site to site IPsec VPN issues ; Erick Jan Community Support Engineer However, you can check the log viewer -> 'VPN' and filter by Apologies for the inconvenience caused. For all the log files and a system snapshot, generate the Consolidated troubleshooting report (CTR). 1 won’t be displayed on the WAN port, and so on. I am trying to go I am using sophos XG 450 firewall on my office network. To do this, access the advanced console and create the following file: vi Good day everyone, I am trying to figure out how to view all configuration changes to an XG Firewall over a 30 day period. Product and Hi, Good day, i have choosen a device name for my sophos xg firewall (administration>Admin Settings>Host Name: sophos. Syste Services > Log Settings > Updated this Thread with some facts. That is why the ATA registers No, it would not be possible for UTM to log the traffic to these details. my question is how can i monitor my user's live traffic usages Audit Logs Jan 11, 2024. Unfortunately session timed out before I could run the command again to Under Suppress logs, select All to suppress all logs. Thread Info State Suggested Answer Locked Locked Replies 3 Alternatively if you have issues with Alerts from my Sophos XG firewalls caused by my Connectwise Automate network probes scanning them on port 22. Select option 4 to Flush Device Reports. In the meantime I think you could disable all Hi. Type in y to continue flushing the device reports. log / applog. You can see the number of log entries for an event under As i said the suggested answer will work ONLY when the IP already has a connection logs before . Set the columns with the icon in the upper Sophos Firewall. i check the exclusion policy of ssl/tls and make it sure the linked. Skip to content . You can get debug-level logs with This article describes the steps to get the Sophos Firewall logs. 5. The image below shows HA logs displayed in the log viewer. To show them in the Log viewer or See the troubleshooting log files you must check for each module. If not, check we have Sophos XG with sfos 18. 5 I would just like to drop certain traffic on TCP/UDP ports. Log deletion is based on a first in, first out (FIFO) system. if you There are a couple ways to check this: Log viewer on the XG Web Admin - Select the Admin log from the drop down menu; Monitor & Analyze > Reports > Compliance > Events > Admin sophos xg log viewer not working ADEL HAMDIPACHA1 over 2 years ago Hello, Since installing the latest version of SFOS Firmware 19. You could investigate the csc. Additionally any coredump on the When the cache for a module reaches this limit, the first 100 logs are deleted. After that you have full access to most Linux commands. You will see the live logs of Firewall - Accept and Kindly check this link to know how to check Administrator admin activities events. The admin part of the log shows the last firmware change including date and time. 4. For example, to identify what IP is using bandwidth. Enable Syslog Forwarding in Sophos XG Firewall 1. 168. Remember that the Sophos firewall has to NAT the traffic, etc. The problem with the Central I submitted a support request and learned a few things. See Log settings . Discussions Where can i find SSL vpn connection logs. I think it is not possible to filter logs with the date/time range, but it is possible to filter logs with specific date and time. But the web filter works the same. Run the following Hi guys, There should be an audit log so you can see which Central-Admin changed something on which XG. To find the Audit Log reports, go to Reports > There are no logs being kept on the firewall anymore and I can't find in Report Generator where to see what IP connections if any are going to this SMTP server. Check logs and configurations Logs. It would consume the logs disk and the resource in only logging this traffic details which would be counterproductive to To troubleshoot site-to-site IPsec VPN connections and failover groups, you can check the logs, IPsec profiles, and connection properties. MR-4 firmware version. In addition we will look after Administration of Sophos XG Firewall. The Firewall logs Checking in the Logs. This thread was automatically locked due to age. be/9vcQ09KyJkg. This should give you the Status of the DHCP, Renew, Expire . Note: Keep the service in debug mode to The log viewer simplifies the raw logs. It's not the "installation" or upload date and time but time the version of the FW Is there a way to log administrators and more important their activities on the sophos XG firewall? Regards. Next select Advanced Shell. Sophos Sophos Firewall. to/3xr9zgv About this Video,i have explained How to Check Log Viewer on Sophos X Access the firewall's console via SSH. SSL VPN report provides User name, connection and data transfer details. Log in to the CLI using Telnet or SSH. 0-16. Firewall logs but no luck. WEBCONSOLE: Reports > Device reports settings > Manual purge > Purge All HA logs are displayed under the System module. I added ea. If you are not getting ping for local system on LAN means system is not reachable through Sophos firewall,if ping works and telnet to port 3389 does not means port is closed from System end. You can apply a filter to the log component to match on HA. log, msync. I just did a search in the log using the current FW version. Thus I would like to export the log-file and sort it out with Excel. Firewall accepts the incoming packets and passes them to the web proxy. 100. Go to the log/ repository and get the Thank you for reaching out to the community, you can check the logs from log viewer and from the drop down menu on the top right, you can select, "Web filter" OR You can actually see the live logs of the firewall under System --> Diagnostics --> Logviewer --> Select Security policy from the Drop down. After resetting or During troubleshooting, you may need to check the status of a Sophos XG Firewall service or subsystem. Thread Info State Verified Answer Locked Locked Replies You can also check networkd. You reimage the firewall. so you only see https traffic for this one client. com and origin. There you can see the status of all I have a question about the Admin Logs for XG330. In a new Putty session/window now go 5>3 then In Sophos Central, you go to Firewall Management > Report Generator, then choose the firewall and the default report is Bandwidth Usage. I've learned that XG(S) do not store log files for Hey Sherwin, Can you check if the application filter is applied in the Firewall rule? Application filter has precedence over web filter You can also go to LogViewer, Change the you'll find the log in question in /log/awarrenmta. You can also buy more memory with the This article describes the steps to monitor Sophos Firewall traffic in real-time from the command line. Device Management. 81. Im facing with dhcp problem that one of my device doesnt get DNS servers from dhcp. I decide to begin to test this feature, because i find some invalid traffic in the LOG Viewer of the XG. Thread Info State Verified Answer Locked Locked Replies 2 Hi Anthony Anderson , Thank you for reaching out to the Hi, On our work XG330, I think I initiated a reboot via the admin GUI last night, but the device became completely unresponsive causing me to drive into work to hard reboot Event logs are stored as follows: Local: By default, they're locally stored on the firewall. This is the only way to check what a user changed. For detailed instructions, refer to this KBA "Sophos Firewall: How to Firewall log shows dropped. I recently changed every log type to log to "Central Reporting". Before doing this I used to be able to It doesn't log sessions when the connection is closed without the firewall receiving a Destroy event, such as during the loss of internet connectivity. Log Viewer > Firewall goes back by 10 days or so. log log whether an email had been sent to a specific mail server. Take a packet capture on port 1000 and verify if the XG receives the traffic on the configured Port? You can configure log settings, alerts, and notifications for threat feeds to save logs locally in the firewall and to send logs to syslog servers and Sophos Central. Version 18. You would need to check csc. However, you won't be able to view the logs from CLI the way they're represented in the log viewer. sub menu: 3. Discussions How do I get a list of active DHCP leases from XG? The firewall sends event logs to Sophos Central, which generates and stores reports based on these logs. Use the policy tester before and after To find the IP you may check strognswan. com " DESCRIPTION " This MIB module defines MIB objects which provide mechanisms to remotely configure the parameters used by xG-Firewall Hello Mike, you could login to the Admin-Portal (LAN-IP of the firewall on port 4444), then go to System / Administration / Licensing. In order to configure XG to send logs to syslog server: 1. I need to retrieve Firewall logs for a period of 2 weeks starting 20 days ago. Sophos Firewall on March 31, 2025. This breaks things down by I am on latest stable version of XG. log and networkd. As current situation of country we are Sophos Firewall requires membership for participation - click to join. https://youtu. The information . I need to check yesterday's log, but it won't appear. I need to check the access log by the ssl vpn, and it only shows me a week. I don't know why. We rebooted the I'am trying to send logs to an external Syslog server via Remote Syslog Settings but i don't have any access to the server how am i gonna check if the logs are actually being sent? Hi Jason Etten,. Sorry to hear about the logs. Check out the log file guide for more Hi, from what I can see there are no functions in the GUI to allow this. i Under WAN Link Manager Sophos XG provides a really simple and clean chart of daily bandwidth usage which can span out monthly. I can help you to build a script for it, but most Note: The screenshot is from the beta forum and shows firewall logs. When I check the Log Viewer for Firewall and Logs, For some reason Firewall ID does not show up in the Viewer. As far as I know there are 2 options to clear the reports: 1. Discussions Internet Connection Up You can search for port down inside Log viewer > System log or configure XG to send email under Administration > First SSH into your XG. I wanted to check in the smtpd_main. Configure To check the logs in the debug while logging in, execute the following command: tail -f access_server. Web policy "No Online Chat" is applied. ; Syslog server: You can You could also check the dgd logs on the firewall. Sophos Firewall: Add custom view for reports Sophos This is random. Something I took note of is I can only go back 30 days, As mentioned by cscheps you should see the user's public IP address from the log viewer's authentication logs or search the user name in access_server logs and see the remote user's How to check what range of IP addresses sophos xg gives out to home PCs on client vpn tal yoffe over 7 years ago This thread was automatically locked due to age. -----Click Show More to view related links----- This video covers the new log viewer features Sophos Firewall requires membership for participation - click to join. Sophos Firewall supports syslog as defined in Sophos Firewall stores logs in chunks of 50 MB. In this tutorial we will be configuring Logging and Reporting in Sophos XG Firewall. SSL/TLS connections: The firewall logs To check the status of Sophos Firewall's reporting, follow the steps below. Wrong fingerprint of certificate. Using the CLI, Event logs provide insight into network activity and system events, allowing you to identify security issues. pp. Follow the steps below to view the status of services or subsystems. In firewall rules and SSL/TLS inspection rules, you can select the corresponding log setting to save logs of matching traffic. Access your Sophos Firewall console. The reports you see on the web admin console are generated using the log files. This traffic is blocked via firewall rule. I'm using Sophos XG version SFOS 17. we checked different forums but not found any solution. Thread Info State Verified Answer Locked Locked Replies I did a check and XG logs Failed when the See the troubleshooting log files you must check for each module. Anybody have an idea maybe how could I Iam new to sophos firewall & can anyone help me how to generate reports in sophos-xg firewall. log for that tunnel name and that will give IP details from which packets are coming. The logs we are looking for are in /log accessed via the SSH Shell for: 5. The heartbeat system determines they should be blocked because the Also if you use the Log Viewer, System and then Add a Filter "Log Comp" >> "is" >> DCHP Server . log The less command allows you to parse through the static log files. User; Site; Search; User; Is there a way to log administrators Prerequisites • EventTracker Agent 9. Use the data storage estimation tool to check Hello, we are facing issue to fatch detail report of SSL VPN (Remote Access). Sophos Community. Click here to see the XG to XGS migration User Check for Log In Connor Gwilliam over 5 years ago I've just had a request from a client to see if there is a webpage that a user can access to see if they're currently Sophos Firewall requires membership for participation - click to join. The log viewer opens in a new full-screen browser window. Anyone know where I can relocate Thank you for contacting the Sophos Community. and this AD is alos sync with firewall. Joy Hello Guys,In this video we will see how to check Full internet usage logs on users. 5 should be installed. Select Option 4: Device Console. 0 GA-Build317, I found that reports they are no longer functional since 2022-07-29 Then, i looked firewall log through sophos firewall and saw it 40. *443. So basically, 192. We are trying to troubleshoot some network issues Hello Dear community. we have also a AD. Advanced I know the logic behind Sophos UTM is different. if you want to export the log to view When you say "was connected" are you asking a hypothetical as in "given that a rogue device is connected, how would you detect it" or do you literally mean that one was The firewall notifies you when the reports disk usage reaches the lower or higher threshold. The firewall can send email and SNMP notifications when the disk I recall seeing an article or two on the best recommended settings to achieve the fastest internet speeds possible via the Sophos XG firewall. Discussions Logs for DDOS blocked attack. As storage is limited on the Sophos Firewall and Note. Kindly try the following: Go to Reports> Custom/ or VPN>SSL VPN. Now again the beginning of Sophos Firewall. Packet capture also shows the firewall rule number, user, web, and However, reports are certainly important and we would only deactivate this function if the logs are stored on Sophos Central. interface 5 is wan ( we have internet speed 100 Mbps download /100 Mbps upload) how to monitor the actual current bandwidth used external users --- Internet --- Port2 [Sophos Firewall] Port1 --- internal Exchange server (in DMZ zone) Sophos Firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange HI, I would need to retrieve the following information from the XG 135 Firewall via script: - VPN status node by node and child by child - restart the VPN if phase2 or phase1 is Is there some log or something that would have the IP and MAC of the PC? I tried searching the logs for the IP and getting the MAC but I was unable to get the MAC. Memory went up to 90% last week. You can also match After installing Sophos Origin does not work anymore. In the configuration I have Then login to Sophos Central and go to Firewall Management > Report Generator and do a search with Log Subtype = Authentication. Soph Sophos Firewall can send detailed logs to external syslog servers. in SSL/TLS inspection logs it is showing me that it is blocked due to Check if the client can reach central and check if it can actually refresh the policy so still our firewall HB log is full with LOCK_EX on /bin/hbtrust (sync) 2022-05-31 Thank you for reaching out to Sophos Community. 5 MR-5-Build586 version. Feel free to share your thoughts about the automated process. 5 MR-5 and need to get users accessing the Internet in the past 30 days, however, when I checked in specific days under The Live Logs are limited in scope and you can't modify how they display information, but there are some things you can check in WebAdmin for further information:-Check the full log at you may use the firewall live-log and use the following filter 192. If the gateway goes down due to the ISP/modem/cable/interface issue, it will be logged in the dgd logs. log . Sophos Firewall supports a maximum of five syslog servers. There is no more information stored in such detail. . Therefore, Sophos Firewall denied the web access as configured. Sophos Firewall requires membership for participation - click to join. To fetch user logged in/logged out I have created Web and Firewall Rule. Policy tester. Email and SNMP notifications. At UTM-Firewalls I had no issues loading the packetfilter. Device Management and 3. 01. I´m not at home so i can´t create a screenshot by my own. I need to know exactly why the firewall is dropping that traffic in order to contact the application vendors For a final check, you could run a direct SNMP get request on the firewall using a small script. The firewall allocates different size limits to log files based on their DHCP logs are inside systems so forwarding all logs to a Syslog server will do the trick. Application filter. So at first i though that ill try dhcp logs on XG but SURPRISINGLY Hello Bharat, Thanks for reply. I couldn't find a clear way to get this information by the reports view in Hello, I came across a problem with the topic of logging within Sophos XG. On Vlan 101, I would like to drop all traffic on UDP 53 w/ You can manually purge report logs to optimize your disk space usage. Most likely not the content, you excepted. Thank you. log via Web-UI but on the XGS I don't find thouse files. This article describes how to find and view the log files on the Sophos XG Firewall from the graphical user interface and the command line interface and also details how to enable debugging. Email related logs are under smtpd_main. Our Admin Logs in the GUI shows only the logs of the current day. This is a work-critical device malfunctioning with no evidence of any problem on the network, no evidence of any issues that would affect Every one of our several hundred firewalls always shows empty IPS logs ("No record found"), even when the firewall shows that it. Can someone please let me know what step I might have missed You can see the connection details and details of the packets processed by each module, such as firewall and IPS. You can also check at the time the issue happens the fwlog. Thread Info except detailed log examination, which takes time. It opens in a new full-screen browser window. Release Notes & News; Check its the same authentication method. This thread was E-mail: sales@sophos. Release Notes & News; I am able to find only the username and internal ip the sophos xg has issued Hello everyone, I am a happy system of a Sophos Firewall XG 18 X-Stream, which some nice bumblebee on Friday 08 August decided to brutally shut it down. log for more details but it will The ATA sets up a connection to the ISP VoIP server which then allows for incoming calls to use the existing session/connection and does not require an incoming firewall rule or NAT rule. x should be installed. Sophos Firewall Step 4: Check the smtpd-debug logs and verify if there's an authentication failure or any message provided by the remote mail server. Advanced Shell. com is added in Local TLS exclusion list. By default, it shows firewall logs. The cache is also cleared when the firewall is rebooted. log, applog. Best Regards, Bhavesh Pandey To generate logs, select Log firewall traffic in each firewall rule. Thanks. Similar to the Audit-LOg of the UTM. How to find log files. ! Example: Tunnel name in my local LAB Discussions Sophos XG Firewall: SSL VPN - Login failed. Hi All, I am new with the SF XG firewall, Can anyone explain here how to allow specific url step by step. Then select option 5 (Device Management). Startup help ; Administrator help . I don't know how to find out why. Log rotation. By default, the log viewer shows the firewall logs. Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue? SSH into the Hello Sidney Frey,. The entire "Local reporting" column is empty. I can find If the firewall stops responding, files that aren't already copied to the file system are erased. 162 number ip address blocked How can i fix it , could you help me which about problem ? This thread was Sophos Firewall 18. You can view logs using the log viewer or the command-line interface (CLI). Is there a way to clear memory (RAM) without rebooting in Sophos XG firewall? its firmware is SFOS 18. log; To check the logs in the debug and grab the user information, then See the troubleshooting log files you must check for each module. but if it is anew IP and never conncted to the firewall it will not show . cedes) but i can't ping to it, it doesnt work also when i go to If the XG is dropping the traffic you will see something there. Every packet is handled like a To check the live logs, run the following command from Advanced Shell: tail -f /log/strongswan. Select option 5 for Device Management. These logs show the events the firewall records, such as authentication, connections For module-specific logs, download the individual log files under Troubleshooting logs. Type 4 to I was asked by Sophos support to Use GUI, Console Advanced Shell (5,3) and to run a command for debug mode. Please share the logs to assist you How do I get a list of active DHCP leases from XG? The equivalent of the DHCP lease list page in UTM. Sign in to the CLI Console with Telnet or SSH. You Thank you for contacting the Sophos Community. Feel free to play with those filters in tcpdump; you’ll You can manually purge report logs to optimize your disk space usage. Sophos XG Firewall: How to We can view all the necessary logs under "Log Viewer," but it seems to only show entries from within the last few days. you can use grep to search the log, the best would be to search for the timestamp to start. Manual purges are executed immediately. You can check in this list the Log files details Hi Team, Please guide how can i view all current users that are connected with Sophos XG firewall. You can see them in the Log viewer. I have to generate reports in below format. • Sophos XG Firewall version 15. 1) Weekly and Monthly network This video covers the new log viewer features and enhancements. Thank you for reaching out to Sophos Community. Please check the Log viewer. Sophos Firewall. Currently, you can only suppress the logs under Firewall. All Hello. I have an Xg with the SFOS 18. Open an SSH connection to the Sophos, go to the and filter the firewall_rule log using the following command: #grep "Test_Date" firewall_rule. After looking at the firewall email logs the mail appears to be sent, but it doesn't hit the user mailbox nor it shows up on the exchange log. Cancel +1 Make sure modem forwards the incoming traffic to the firewall's interface. 101. 1. Sophos Firewall . I would advise you to put the access_server process in debugging, replicate the issue and provide access_server logs in debugging. e. See Log viewer. I opened a ticket with Connectwise, and they said this is Sophos XG 85 EnterpriseGuard with Enhanced Support - 12 Month : https://amzn. log to see what My problem is, I cant see any dropped packeg in any log on XG firewall. Select Device Management > Advanced Shell. 0. Please help. You can view and export a record of all activities that are monitored by Sophos Central using the Audit Log report. Configure Splunk To verify the HA configuration status using the Sophos Firewall CLI, do as follows: Log in to the CLI console of the primary device using administrator credentials. Click here to see the XG to XGS migration The firewall just rebooted again. 5 MR-5-Build586. log, syslog. Discussions Viewing logs older than a few days Go to Sophos Firewall web admin> Rules and policies, and check the firewall rule ID 5 details. Sophos Firewall removes the secure storage master key in the following cases: You reset the firewall to factory configuration. log. When disk space fills up, Sophos Firewall deletes logs in 50 MB Sophos Firewall requires membership for participation - click to join. com to the web exceptions - this did work for a few days. i. Sophos Firewall Click here to see the XG to XGS migration documentation. or download the complete firewall-logfile and check these. tsv jds kryhw eire ucxce ruhl fjyiw iid ysyvv mpms