Scanning archived files. The Sophos Endpoint Security and Control is associated with a Sophos UTM which is also fully patched and updated, running version 9.313-3.
This article highlights an issue in Sophos UTM where user information is not logged when files are downloaded and scanned by Sophos UTM. It shows how this issue affects reports (both the the web usage reports on Sophos UTM, and in Fastvue Sophos Reporter), and how to work around the issue. How Sophos UTM logs scanned file downloads When downloading a file through Sophos UTM 9.4, the default behavior redirects the user to Sophos UTM’s download progress page (while Sophos UTM scans the file for anything malicious. The first log record shows a normal web hit.
In this case, a gif image on the aarnet mirror page where you can download the latest Linux ISOs. The image URL is shown in the url= field, and the page it was on is shown in the referrer= field. But more importantly, notice the presence of the source & destination IPs, username, group and AD Domain (marked in red). The second log record above is what Sophos UTM logs when actually clicking on the Linux ISO file and downloading it.
Notice in yellow that only source IP is logged. The destination IP, user, group and AD domain are all empty. The referrer is also now passthrough.fw-notify.net which is the UTM’s download page. Highlighted in green is the URL of the file downloaded. The actual function of downloading the file works fine, but the log event for the file download does not include useful ‘user’ information. When the browser is redirected to the passthrough URL, user information is dropped from the log.
How Sophos UTM scanned file downloads are displayed in reports This issue of course affects your reports. As there is no authenticated username, the only information the reports can show is the Source IP, which Sophos UTM and kindly resolve to a hostname. Although this behavior may not be ideal as the user doesn’t see the scanning progress of a large file download, the username is now correctly logged with the downloaded file, and the reports reflect this.
Below is a screenshot of the logs with the exception enabled. The first log record again shows a normal web hit (an image downloaded from the web page that was accessed), and the second log record shows the large file that was downloaded. Both log entries include IPs, user, group, and AD Domain (shown in green). Summary Without the Do not display Download/Scan progress page exception, Sophos intercepts file downloads and redirects users to the Download/Scan progress page and only logs Source IP (which is resolved to a hostname in reports, but not in the logs). Once the exception is enabled, Sophos UTM will still intercept the file to download and scan it, but the user will not be redirected to the Download/Scan page. The upside of this is that their username information will be logged along side the file download, which flows through to your reports. It would be ideal if Sophos UTM logged username information when redirected to the Download/Scan page, but hopefully this workaround helps in the mean time.
A big thank you to Andrew Priest for researching, testing and sending through the information above!
I have a relatively new Sophos UTM 9 Home edition running that is connected up to my new Gigabit fiber connection using PPPoE. I have an assigned range of static IP addresses the ISP gave me but I see that the main external IP address has tons of dropped packets to the UTM. This is running on a ESXi with dedicated NICs for the external and internal connections. I get upwards of 28% dropped packets to the automatically assigned IP address from the ISP through the PPPoE connection according to the daily and weekly reports.
I'm not running a proxy. Is there somewhere I can change that so it will run more smoothly? I am not currently running IPS as it slows down my connection too much. Speedtest.net right now shows 500-600mbs download and 800-900mbs upload. When I don't have the UTM connected inline - my old Asus RT-N66u router would get 900-920mbs up and down.
I do have the NAT masquerade rule setup for internal ->WAN. Daily executive report and weekly reports all show tons of dropped packets to my assigned IP. I'm sure that's affecting my overall perf and speeds on the UTM and on my gear at home.
To be honest with you, I've never been able to run high throughput when running as a VM which is why I abandoned the idea. The drop in performance was so significant that I wanted to maximize throughput and I really didn't have to worry about scaling for large enterprise. I don't know what the overhead is for running in a VM but I don't remember reading about anyone running a VM and a Gb connection and able to max that out. One thing I didn't see mentioned is what CPU you are running. I know that upload is easier on the CPU then the download.
I know you said you aren't running IPS but all of your firewall rules and NAT and web filtering is really on your inbound traffic. I don't use ESXi but I believe there is somewhere that you can go to see how each of your CPU cores is working. I wonder if you can check that out while you're running the speed test and just see if you're pegging out your CPU cores. Your overall usage may sit in the low teens but it's possible that something is running on a single core and is maxing out but that's not reflected in the overall results you're seeing in the dashboard. You asked about a report to see what's being dropped but the canned reporting for Sophos leaves a lot to be desired. A few options here. You can install Sophos iView as a VM to try to enhance your reporting.
I have that running as well as Fastvue. THe nice thing about Fastvue is that they offer a 'home' license that they don't advertise but if you send them a message, they will tell you it's like $50 per year for home use. I find that with both of these running I can get decent reporting for my needs. I'm looking at the iView report and I can see what was blocked and port 4242 was getting hammered (CrashPlan uses this port and I have it installed on the server).
And then from Fastvue I can see which categories got blocked with how many hits. But if you want to see exactly what's getting blocked, you may have to get acquainted with the raw log files. You'll find that the vast majority of dropped packets will be from default rules (60001, 60002.etc). Don't know if any of this helps. In any case, welcome to Sophos.
I know that since I've been using it, I'm not turning back. I had set this up as a test to look at going to it back in March.
I got through the 20-30 min setup to get it passing traffic just fine. I turned it off for a few weeks while I was adjusting other network gear and continued to run with my RT-N66U Asus router connected to the PPPoE Fiber. I put this back inline about 10 days ago as I sold my Asus Router and this is what I had decided to run with for the time being although I would prefer a dedicated device like a Netgate or something small with 4+ Gigabit NICs and. All things aside - even though it's a VM - it shouldn't be reporting that many packets being lost.
Agreed - I was asking more for knowing if there are some more things you need to configure, not as a scapegoat for blaming VM and walking away:) When you installed, did you install with the software install ISO or a prebuilt vmware app? If the software ISO, you may need to install the VMware integration tools for Linux.
Search for the integration tools for RedHat since the UTM software is an RPM-package based custom Linux. Chris Shipley wrote: All things aside - even though it's a VM - it shouldn't be reporting that many packets being lost. Agreed - I was asking more for knowing if there are some more things you need to configure, not as a scapegoat for blaming VM and walking away:) When you installed, did you install with the software install ISO or a prebuilt vmware app?
If the software ISO, you may need to install the VMware integration tools for Linux. Search for the integration tools for RedHat since the UTM software is an RPM-package based custom Linux. Thanks, I appreciate that.:-) I mounted the ISO image and installed from there. I do see that in the VM summary, it shows VMware tools: Running Guest Managed. So I really didn't mess with it much. I thought I had read that most linux distros these days run the open vmware tools natively.
But I can certainly check and put on the vmware tools for the OS. I hadn't considered that. Toddac wrote: I thought I had read that most linux distros these days run the open vmware tools natively. But I can certainly check and put on the vmware tools for the OS. I hadn't considered that. Oh, hmm - you might be right about that now. I may need to update my brain database.
However, that's where I would check. I believe there is more than one mode for the Vmware NIC to operate via the vmware tools, so you may need to swap from one to the other via the console on the UTM.
That's accessible if you enable shell access and set both a loginuser and root user password. SSH to loginuser, su to root. Here is the section in the daily and weekly executive reports that has me concerned. Hopefully the image is readable. 81% of the dropped packets from yesterday's daily report are to the external address of the UTM IP address. That just seems weird. Is there a NAT rule or firewall rule that's messed up?
As I mentioned - upload speeds are close to my gigabit speeds - in the 800mbs range. But it's the download speeds that suffer. I'll look into adding in the vmware tools for linux to see if that might help. Chris Shipley wrote: toddac wrote: I thought I had read that most linux distros these days run the open vmware tools natively.
But I can certainly check and put on the vmware tools for the OS. I hadn't considered that. Oh, hmm - you might be right about that now. I may need to update my brain database. Tale Despereaux Ebook Pdf Torrent on this page.
However, that's where I would check. I believe there is more than one mode for the Vmware NIC to operate via the vmware tools, so you may need to swap from one to the other via the console on the UTM. That's accessible if you enable shell access and set both a loginuser and root user password. SSH to loginuser, su to root. Looks like I'll hold for trying to force vmware tools install.
According to this post, Sophos put them in on v8 back in 2012. Another pretty affirmative statement that they have cooked in the VMware tools to the ISO. I think I remember reading that txt file back in March when I first got the recommendation to check out Sophos UTM Home for my new fiber connection. I'm not sure I was dropping packets or not with my Asus router as it just didn't have that metric to report or track. I was running the latest Asus firmware and hadn't gone to DD-WRT or anything custom. I do know that my speedtest.net, local ISP speed tests and going to google fiber speed test pages were all in the low to mid 900mbs for upload and download. All I need to connect to my ISP is a patch cord over from the fiber portal to the designated Intel NIC on my ESXi box and then add in the PPPoE credentials and it connects.
There are some settings and reconnection terms listed for PPPoE - but the ISP said to ignore most of those and not enable them. This is my first PPPoE connection since I had DSL 12+ years ago (was a solid Comcast user for that time). I've compared my executive reports running the same version of Sophos and getting about 40% to 50% of all dropped packets to my external address as well.
But correct me if I'm wrong, isn't the standard feature to silently drop packets that violate filter/firewall rules? Disallowed pings, scans of your external address.wouldn't they get dropped and be reported as such? My total dropped packets for yesterday alone is 64,860 with 43% showing my external IP as destination. I'm also on Gb internet and can get the full 940Mbps speeds when I disable IPS. Hey NashBrydges - I wondered if you'd show up here:-) I got the advice to run Sophos from you and I really do like the interface, the reports, the control I have over my home network. I've turned everything off in my VM version of UTM for testing today except for the firewall piece that can't be disabled and I'm still not able to get above 500mbps for my downloads.
I'm not quite ready to give up on it but I don't want to power more gear in my storage room either if I don't have to. So, maybe I'll order another 4port gigabit PCI-E card and install it and remove the single port Gigabit PCI-E card I found in a drawer that's running as my external interface. But - you do bring up a valid point NashBrydges that may be there is just a ton of 'noise' on the internet WAN interface and I couldn't 'see it' before the sophos. Is there a report or log I can get access to to let me look through all of the dropped packets? I also toss around the idea of putting in a Ubiquiti Edge Router lite for a dedicated fast edge device.
Wish I had one to try to see how I liked it. The price point is pretty compelling. I'm willing to test out a pfsense setup too since it's all just in my vmware environment. Running on 2x Dell poweredge R210 II servers @ home would be nice.I have a few of those in our data center.not a bad little 1U server for the money. My monthly power bill is already $180/month - so I've got to keep an eye on what I'm running. To be honest with you, I've never been able to run high throughput when running as a VM which is why I abandoned the idea.
The drop in performance was so significant that I wanted to maximize throughput and I really didn't have to worry about scaling for large enterprise. I don't know what the overhead is for running in a VM but I don't remember reading about anyone running a VM and a Gb connection and able to max that out.
One thing I didn't see mentioned is what CPU you are running. I know that upload is easier on the CPU then the download. I know you said you aren't running IPS but all of your firewall rules and NAT and web filtering is really on your inbound traffic. I don't use ESXi but I believe there is somewhere that you can go to see how each of your CPU cores is working. I wonder if you can check that out while you're running the speed test and just see if you're pegging out your CPU cores. Your overall usage may sit in the low teens but it's possible that something is running on a single core and is maxing out but that's not reflected in the overall results you're seeing in the dashboard.
You asked about a report to see what's being dropped but the canned reporting for Sophos leaves a lot to be desired. A few options here. You can install Sophos iView as a VM to try to enhance your reporting.
I have that running as well as Fastvue. THe nice thing about Fastvue is that they offer a 'home' license that they don't advertise but if you send them a message, they will tell you it's like $50 per year for home use. I find that with both of these running I can get decent reporting for my needs. I'm looking at the iView report and I can see what was blocked and port 4242 was getting hammered (CrashPlan uses this port and I have it installed on the server). And then from Fastvue I can see which categories got blocked with how many hits. But if you want to see exactly what's getting blocked, you may have to get acquainted with the raw log files.
You'll find that the vast majority of dropped packets will be from default rules (60001, 60002.etc). Don't know if any of this helps. In any case, welcome to Sophos. I know that since I've been using it, I'm not turning back.