We’re pleased to announce that Fastvue Sophos Reporter now supports Sophos XG, providing the same great web usage reporting features for Sophos XG networks that Sophos UTM (SG) users have enjoyed for over three years!
Getting Started with Sophos XG Reporting
If you have a Sophos XG Firewall and want to try it out, please download our latest release of Fastvue Sophos Reporter (184.108.40.206 and above). The download is a fully featured 30-day trial.
On your Sophos XG Firewall, ensure you have a firewall rule with a ‘Web Policy’ applied and the ‘Log Traffic’ checkbox checked.
Then go to Configure | System Services | Log and add the Fastvue server as a syslog server with these
- Server = Fastvue Reporter Server IP
- Port = Any unused port on Fastvue machine (514 is the default)
- Facility = Daemon
- Severity = Information
- Format = Device Standard Format.
Then check the ‘syslog’ checkbox for the ‘Content Filtering’ log events (Web Filter and Application Filter).
Once you have configured syslog on your XG Firewall, simply add your Sophos XG as a source to monitor in Fastvue Sophos Reporter:
- Browse to Fastvue Sophos Reporter and go to Settings | Sources.
- Click Add Source and select or enter your Sophos XG (Any devices sending information on port 514 will be automatically displayed)
- Enter the syslog port you’re using (same as the one you’re using on the XG Firewall above) and click Add Source.
All going well, you should soon start seeing records importing in Settings | Sources, and data flowing into the live dashboards.
Differences with Sophos UTM:
There are a few points/issues to be aware of when reporting on Sophos XG with Fastvue Sophos Reporter.
- No Referrer URLs
Unfortunately, Sophos XG does not log the referrer URLs along with Web Traffic. This means the Fastvue Site Clean engine will not be as effective as it is when used with Sophos UTM (SG). It will still perform site substitution for known CDNs (googlevideo.com -> youtube.com, fbcdn.net -> facebook.com etc.), and remove a large amount of ‘junk URLs’ from your reports, but the Site Clean engine can do much more if the Referrer URL is contained in the log files. We’ve heard that Sophos do intend to implement Referrer URLs as part of a larger feature in an upcoming release.
- No Historical / Archived Logs
One feature currently missing from Sophos XG is a way to download the archived web filter logs from the XG firewall. Sophos UTM (SG) has a Remote Log Archive feature that Fastvue Sophos Reporter uses to import older data, and to fill in any gaps in syslog traffic once the nightly log arrives. Unfortunately, you won’t be able to use this feature with the XG Firewall.
If you would like a text version of your log files off-box, you might like to check out our free Fastvue Syslog server that creates organized text logs from the syslog data it receives. It also zips and archives the logs after 30 days (configurable). You can install it on the same machine as Fastvue Sophos Reporter, just make sure you specify different ports for syslog for each application.
- Firewall Rule IDs
Sophos XG does not log the full name of the Firewall Rule responsible for the traffic, but it does log the firewall rule ID. You’ll find this ID in the ‘Rule’ and ‘Filter Action’ fields in Fastvue Sophos Reporter, enabling you to find the Firewall Rule responsible for allowing or blocking specific traffic.
- Internet Access Policy IDs
If the Internet Access Policy (IAP) Name is logged via the ‘iap_policy_name’ log field, then Fastvue Sophos Reporter will display it. Otherwise, it will show the IAP ID. Unfortunately, Sophos XG’s UI does not display the IAP ID anywhere at this stage. We have only seen the ‘iap_policy_name’ field logged in older Cyberoam models, but we have not seen it in the XG firewall logs unfortunately.
If you’re already using Fastvue Sophos Reporter with your Sophos UTM, and would like to migrate to the XG, get in touch with us and we’ll send you an additional license key so that you can test both Sources at the same time, then disable your UTM source when you’re ready.
Download the latest build, then simply run the new installer over the top of your existing installation. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).
Using Sophos Web Appliance?
If you’re using the Sophos Web Appliance, we have a separate Fastvue Reporter application for you here.