Hi all! In continuation of this I want to tell you more about the functionality that the Sophos XG Firewall solution offers and introduce you to the web interface. Commercial articles and documents are good, but it's always interesting, but how does the solution look like in real life? How is everything arranged there? So, let's get to the review.
This article will show the first part of the functionality of Sophos XG Firewall - this is "Monitoring and Analytics". The full review will be released as a series of articles. We will go, starting from the Sophos XG Firewall web interface and the licensing table
Security Control Center
And so, we launched the browser and opened the web interface of our NGFW, we see an invitation to enter a username and password to enter the admin panel
We enter the login and password that we set during the initial activation and get into our control center. He looks like this
Almost every one of these widgets is clickable. You can fall into the incident and see the details.
Let's take a look at each of the blocks, and we'll start with the System block.
System block
This block displays the state of the machine in real time. If you click on any of the icons, we will go to a page with more detailed information about the state of the system
If there are problems in the system, then this widget will signal this, and on the information page you can see the reason
By clicking on the tabs, you can get more information about different aspects of the firewall
Traffic insight block
This section gives us an idea of what is happening on our network at the moment and what has happened in the last 24 hours. Top 5 web categories and applications by traffic, network attacks (activation of the IPS module) and top 5 blocked applications.
Also, it is worth highlighting the Cloud Applications section separately. In it, you can see the presence in the local network of applications that use cloud services. Their total number, incoming and outgoing traffic. If you click on this widget, we will go to the information page on cloud applications, where we can see in more detail which cloud applications are on the network, who uses them and information about traffic
Block User & device insights
This block displays information about users. The top line shows us information about the infected computers of users, collecting information from the antivirus from Sophos and transferring it to the Sophos XG Firewall. Based on this information, the Firewall can, upon infection, disconnect the user's computer from the local network or network segment at the L2 level, blocking all connections with it. For more information about Security Heartbeat see . Next two lines are application control and cloud sandbox. Since this is a separate functionality, it will not be considered in this article.
It is worth paying attention to the two lower widgets. These are ATP (Advanced Threat Protection) and UTQ (User Threat Quotient).
The ATP module blocks connections to C&Cs that control botnet network servers. If a device in your local network has got into a botnet network, this module will notify about it and will not let you connect to the control server. It looks like this
The UTQ module assigns each user a security index. The more a user tries to go to prohibited sites or launch prohibited applications, the higher his rating becomes. Based on this data, it is possible to conduct training for such users in advance without waiting for the fact that, in the end, their computer will be infected with malware. It looks like this
Next is a general information section on active firewall rules and hot reports that can be quickly downloaded in pdf format.
Let's move on to the next menu section - Current activities
Current activities
Let's start the review with the Live users tab. On this page, we can see which users are currently connected to Sophos XG Firewall, authentication method, machine ip address, connection time and traffic volume.
Live connections
This tab displays active sessions in real time. This table can be filtered by applications, users, and IP addresses of client machines.
IPsec connections
This tab displays information about active IPsec VPN connections
Remote users tab
The Remote users tab contains information about remote users who connected via SSL VPN
Also, on this tab, you can view traffic by users in real time and forcibly disconnect any user.
Let's skip the Reports tab, since the reporting system in this product is very voluminous and requires a separate article.
Diagnostics
A page immediately opens with various troubleshooting utilities. They include Ping, Traceroute, Name lookup, Route lookup.
Next is a tab with real-time system charts for loading iron and ports
System graphs
Then a tab where you can check the category of the web resource
URL category lookup
The next Packet capture tab is essentially the tcpdump interface built into the web. You can also write filters
packet capture
Of the interesting, it is worth noting that the packages are converted into a table where you can disable and enable additional columns with information. This functionality is very convenient for finding network problems, for example, you can quickly understand which filtering rules were applied to real traffic.
On the Connection List tab, you can view all existing connections in real time and information on them
Connection List
Conclusion
This concludes the first part of the review. We have considered only the smallest part of the available functionality and have not touched on the protection modules at all. In the next article, we will analyze the built-in reporting functionality and firewall rules, their types and purposes.
Thank you for your time.
If you have any questions about the commercial version of XG Firewall, you can contact us - the company , Sophos distributor. It is enough to write in free form on .
Source: habr.com