Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Monitor and Analyze | 40

To search a URL:

1. Go to Monitor & Analyze > Diagnostics > URL Category Lookup.

2. Enter URL to be searched in Search URL.

3. Click Search.

Figure 19: URL Category Lookup

Packet Capture

This page displays packets details on the specified interface. It will provide connection details and details of the packets processed by each module packets e.g. firewall, IPS along with information like firewall rule number, user, web and application filter policy number etc. This will help administrators to troubleshoot errant firewall rules.

You can:

•

Configure Capture Filter

– Configure filter settings for capturing the packets.

•

View

– View the packet information.

•

Display Filter

– Specify the filter conditions for the packets.

• Start/Stop – Start and stop packet capturing.

• Refresh – Refresh the list.

• Clear – Clear the details of the packets captured.

Packet Capture

Trace On/Off

Click the slider to enable/disable packet capturing.

The status, the buffer size and buffer used for capturing is displayed:

• Trace On - packet capturing is on.

• Trace Off - packet capturing is off.

• Buffer Size: 2048 KB

• Buffer used: 0 to 2048 KB

Captured packets fill the buffer up to a size of 2048 KB. While packet capturing is on, if the buffer used exceeds the stipulated buffer size, packet capturing stops automatically. In such a case, you would have to clear the buffer for further use manually.

Note: Packet capture details are displayed in a new window from

log viewer

only after enabling packet capture.

Figure 20: Packet Capture

| Monitor and Analyze | 41

Configure

Click to configure packet capturing feature.

Capture filter can be configured through following parameters:Number of Bytes to Capture(per packet)Wrap Capture Buffer Once FullBPF String

There are various filter conditions for capturing the packets. The BPF string is used for filtering the packet capture. For example, host 192.168.1.2 and port 137.

Refer to

Configure Capture Filter

for more details.

Captured Packet

The Captured Packet section displays a list of all captured packets. For each packet the list shows:

Time

Packet capture time.

In Interface

Interface from which packet is coming.

Out Interface

Interface to which packet is sent.

Ethernet Type

Ether Type: IPv4 or IPv6 or ARP

Ether Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the

Ethernet frame.

Source IP

Source IP address (IPv4/IPv6) of the packet.

Destination IP

Destination IP address (IPv4/IPv6) of the packet.

Packet Type

Type of packet: ARP request or UDP.

Ports [src, dst]

Source and destination ports.

Rule ID

Firewall rule ID.

Status

Possible Packet Status:

• Incoming: Packets received on WAN or LAN interface.

• Forwarded: Packet forwarded to Out Interface.

• Consumed: Packets designated for or used by the device .

• Generated: Packets generated by the device.

• Violation: In case of any policy violation, the device will drop the packet and show the status

Violation.

Reason

Reason for a packet being dropped, if it is dropped.

Connection Status

Displays state of connection.

Served By

Specifies if connection is Established, TIME_WAIT or NONE.

| Monitor and Analyze | 42

Web Filter ID

Web filter policy ID applied on the connection traffic.

Connection Flags

System flags

Application ID

Application ID applied on the connection traffic.

Application Category ID

Application category ID applied on the connection traffic.

Connection ID

Unique ID assigned to a connection.

Gateway ID

Gateway ID through which the connection traffic is routed.

Remote Access Policy ID

Remote Access policy ID applied on the connection traffic.

Bandwidth Policy ID

Bandwidth policy ID applied on the connection traffic.

User Group

User group membership.

IPS Policy ID

IPS policy ID applied on the connection traffic.

Application Filter ID

Application filter policy ID applied on the connection traffic.

Web Category ID

Web category ID applied on the connection traffic.

Master Connection ID

Master connection ID of current connection.

Username

Name of the user establishing connection.

Display Filter

Click to set the filter criteria.

Packet Capture can be filtered as per the following criteria: interface name, ether type, packet type, source IP, source port, destination IP and destination port, reason, status, rule ID, user, and connection ID.

Refer to

Display Filter

for more details.

Packet Information

Packet Information

Packet information including header details and entities including firewall rules & policies.

Figure 21: Packet Information

| Monitor and Analyze | 43

Hex & ASCII Detail

Hex & ASCII Detail

Packet Information in Hex & ASCII values.

Figure 22: HEX And ASCII Details

Configuring Capture Filter

The Configuring Capture Filter page allows configuration of number of bytes to be captured per packet.

1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Configure.

2. Enter details to configure the capture filter.

Number of Bytes To Capture (Per Packet)

Specify the number of bytes to be captured per packet.

Wrap Capture Buffer Once Full

Enable to continue capturing the packets even after the buffer is full.

When the checkbox is enabled, the packet capturing starts again from the beginning of the buffer.

Enter BPF String

Specify a BPF string.

BPF (Berkeley Packet Filter) sits between link-level driver and the user space. BPF is protocol independent and use a filter-before-buffering approach. It includes a machine abstraction to make the filtering efficient. For example, host 192.168.1.2 and port 137.

Refer to BPF String Parameters for filtering specific packets.

BPF String Parameters

How to check packets of the

specific host specific source host specific destination host specific network specific source network specific destination network specific port specific source port specific destination port specific host for the particular port the specific host for all the ports except SSH specific protocol

Example

host 10.10.10.1

src host 10.10.10.1

dst host 10.10.10.1

net 10.10.10.0

src net 10.10.10.0

dst net 10.10.10.0

Port 20 or port 21 src port 21 dst port 21 host 10.10.10.1 and port 21 host 10.10.10.1 and port not 22 proto ICMP, proto UDP , proto TCP

| Monitor and Analyze | 44

Figure 23: Configure Packet

3. Click Save.

Display Filter

This page restricts the packet capturing to specific types of packets. There are further filtering conditions such as the type of interface, ether type, source IP address & destination IP Address.

1. Go to Monitor & Analyze > Diagnostics > Packet Capture and click Display Filter.

2. Enter details to configure the display filter

Interface Name

From the list, select the physical interface used for filtering packets logs.

Ethernet Type

Select the Ethernet type: IPv4 or IPv6 or ARP.

Ethernet Type is a field in an Ethernet frame. It is used to indicate the protocol encapsulated in the

Ethernet frame.

Packet Type

From the list, select the packet type used for filtering packets.

Source IP

Specify source IP address (IPv4/IPv6).

Source Port

Specify source port number.

Destination IP

Specify destination IP address (IPv4/IPv6).

Destination Port

Specify destination port number.

Reason

Select the reason to display the filter from the available options.

Available

Options:FirewallLOCAL_ACLDOS_ATTACKINVALID_TRAFFICINVALID_FRAGMENTED_TRAFFICICMP_REDIRECTSOURCE_ROUTED_PACKETFRAGMENTED_TRAFFICAPPLICATION

FILTERUSER_IDENTITYIPSMAC_FILTERIPMAC_FILTERIP_SPOOFNEIGHBOR_POISONINGSSL_VPN_ACL_VIOLATIONVIRTUAL_HOSTICMP_ERROR_MESSAGE

Status

Select the status of the filter from available options.

Available Options:AllowedViolationConsumedGeneratedIncomingForwarded