Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
| Monitor and Analyze | 40
To search a URL:
1. Go to Monitor & Analyze > Diagnostics > URL Category Lookup.
2. Enter URL to be searched in Search URL.
3. Click Search.
Figure 19: URL Category Lookup
Packet Capture
This page displays packets details on the specified interface. It will provide connection details and details of the packets processed by each module packets e.g. firewall, IPS along with information like firewall rule number, user, web and application filter policy number etc. This will help administrators to troubleshoot errant firewall rules.
You can:
•
– Configure filter settings for capturing the packets.
•
– View the packet information.
•
– Specify the filter conditions for the packets.
• Start/Stop – Start and stop packet capturing.
• Refresh – Refresh the list.
• Clear – Clear the details of the packets captured.
Packet Capture
Trace On/Off
Click the slider to enable/disable packet capturing.
The status, the buffer size and buffer used for capturing is displayed:
• Trace On - packet capturing is on.
• Trace Off - packet capturing is off.
• Buffer Size: 2048 KB
• Buffer used: 0 to 2048 KB
Captured packets fill the buffer up to a size of 2048 KB. While packet capturing is on, if the buffer used exceeds the stipulated buffer size, packet capturing stops automatically. In such a case, you would have to clear the buffer for further use manually.
Note: Packet capture details are displayed in a new window from
only after enabling packet capture.
Figure 20: Packet Capture
| Monitor and Analyze | 41
Configure
Click to configure packet capturing feature.
Capture filter can be configured through following parameters:Number of Bytes to Capture(per packet)Wrap Capture Buffer Once FullBPF String
There are various filter conditions for capturing the packets. The BPF string is used for filtering the packet capture. For example, host 192.168.1.2 and port 137.
Captured Packet
The Captured Packet section displays a list of all captured packets. For each packet the list shows:
Time
Packet capture time.
In Interface
Interface from which packet is coming.
Out Interface
Interface to which packet is sent.
Ethernet Type
Ether Type: IPv4 or IPv6 or ARP
Ether Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the
Ethernet frame.
Source IP
Source IP address (IPv4/IPv6) of the packet.
Destination IP
Destination IP address (IPv4/IPv6) of the packet.
Packet Type
Type of packet: ARP request or UDP.
Ports [src, dst]
Source and destination ports.
Rule ID
Firewall rule ID.
Status
Possible Packet Status:
• Incoming: Packets received on WAN or LAN interface.
• Forwarded: Packet forwarded to Out Interface.
• Consumed: Packets designated for or used by the device .
• Generated: Packets generated by the device.
• Violation: In case of any policy violation, the device will drop the packet and show the status
Violation.
Reason
Reason for a packet being dropped, if it is dropped.
Connection Status
Displays state of connection.
Served By
Specifies if connection is Established, TIME_WAIT or NONE.
| Monitor and Analyze | 42
Web Filter ID
Web filter policy ID applied on the connection traffic.
Connection Flags
System flags
Application ID
Application ID applied on the connection traffic.
Application Category ID
Application category ID applied on the connection traffic.
Connection ID
Unique ID assigned to a connection.
Gateway ID
Gateway ID through which the connection traffic is routed.
Remote Access Policy ID
Remote Access policy ID applied on the connection traffic.
Bandwidth Policy ID
Bandwidth policy ID applied on the connection traffic.
User Group
User group membership.
IPS Policy ID
IPS policy ID applied on the connection traffic.
Application Filter ID
Application filter policy ID applied on the connection traffic.
Web Category ID
Web category ID applied on the connection traffic.
Master Connection ID
Master connection ID of current connection.
Username
Name of the user establishing connection.
Display Filter
Click to set the filter criteria.
Packet Capture can be filtered as per the following criteria: interface name, ether type, packet type, source IP, source port, destination IP and destination port, reason, status, rule ID, user, and connection ID.
Packet Information
Packet Information
Packet information including header details and entities including firewall rules & policies.
Figure 21: Packet Information
| Monitor and Analyze | 43
Hex & ASCII Detail
Hex & ASCII Detail
Packet Information in Hex & ASCII values.
Figure 22: HEX And ASCII Details
Configuring Capture Filter
The Configuring Capture Filter page allows configuration of number of bytes to be captured per packet.
1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Configure.
2. Enter details to configure the capture filter.
Number of Bytes To Capture (Per Packet)
Specify the number of bytes to be captured per packet.
Wrap Capture Buffer Once Full
Enable to continue capturing the packets even after the buffer is full.
When the checkbox is enabled, the packet capturing starts again from the beginning of the buffer.
Enter BPF String
Specify a BPF string.
BPF (Berkeley Packet Filter) sits between link-level driver and the user space. BPF is protocol independent and use a filter-before-buffering approach. It includes a machine abstraction to make the filtering efficient. For example, host 192.168.1.2 and port 137.
Refer to BPF String Parameters for filtering specific packets.
BPF String Parameters
How to check packets of the
specific host specific source host specific destination host specific network specific source network specific destination network specific port specific source port specific destination port specific host for the particular port the specific host for all the ports except SSH specific protocol
Example
host 10.10.10.1
src host 10.10.10.1
dst host 10.10.10.1
net 10.10.10.0
src net 10.10.10.0
dst net 10.10.10.0
Port 20 or port 21 src port 21 dst port 21 host 10.10.10.1 and port 21 host 10.10.10.1 and port not 22 proto ICMP, proto UDP , proto TCP
| Monitor and Analyze | 44
Figure 23: Configure Packet
3. Click Save.
Display Filter
This page restricts the packet capturing to specific types of packets. There are further filtering conditions such as the type of interface, ether type, source IP address & destination IP Address.
1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Display Filter.
2. Enter details to configure the display filter
Interface Name
From the list, select the physical interface used for filtering packets logs.
Ethernet Type
Select the Ethernet type: IPv4 or IPv6 or ARP.
Ethernet Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the
Ethernet frame.
Packet Type
From the list, select the packet type used for filtering packets.
Source IP
Specify source IP address (IPv4/IPv6).
Source Port
Specify source port number.
Destination IP
Specify destination IP address (IPv4/IPv6).
Destination Port
Specify destination port number.
Reason
Select the reason to display the filter from the available options.
Available
Options:FirewallLOCAL_ACLDOS_ATTACKINVALID_TRAFFICINVALID_FRAGMENTED_TRAFFICICMP_REDIRECTSOURCE_ROUTED_PACKETFRAGMENTED_TRAFFICAPPLICATION
FILTERUSER_IDENTITYIPSMAC_FILTERIPMAC_FILTERIP_SPOOFNEIGHBOR_POISONINGSSL_VPN_ACL_VIOLATIONVIRTUAL_HOSTICMP_ERROR_MESSAGE
Status
Select the status of the filter from available options.
Available Options:AllowedViolationConsumedGeneratedIncomingForwarded
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice