by
Scott Glew
With many people now working from home due to COVID-19, reporting on Sophos XG's VPN activity is top of mind for many overstretched IT teams right now.
To help, we've made some additions to Fastvue Sophos Reporter to provide better visibility into Sophos XG's VPN connections and to ensure your remote infrastructure is holding up.
Just send the Sophos XG's SSL VPN, Firewall Rule and Authentication Events to the Fastvue Sophos Reporter server via syslog to enjoy these new features:
First of all, we've added a new VPN Dashboard that lets you monitor Sophos XG's VPN activity in real-time.
The line chart at the top shows the number of Active VPN Sessions over time as well as the number of New Connections, Disconnections, as well as the number of Failed Logins.
Underneath the line chart are some clear statistics showing the number of Active Connections now, the number of New Connections and Disconnections over the past hour, as well as the number of Failed logins over the past 24 hours.
Underneath the statistics, we have two tables showing the most recent VPN connections and the most recent VPN disconnections. The disconnections table also shows the Sophos XG event message that indicates the reason for the disconnection. This lets you see if the VPN connection was terminated due to an auto-logout, a normal user logout, or any other reason.
The final row of the VPN dashboard shows the Top VPN Users by size, as well as a table showing the most recent Failed VPN logins.
We've also added a new VPN section to the existing IT and Network Security Reports. To access the new Sophos VPN report:
Note: If you only want to see the VPN activity for a certain user, you can also select a User Overview Report | IT and Network Security Report, then select the user, date range, and click Run Report.
The VPN report section is also availabe in the All Usage reports.
The VPN section starts with the same line chart showing Active Connections, New Connections, Disconnections and Failed Logins over time.
It's important to note that this will show connections that started after the report's start date. So if you run a report on today, it will show connections that started from midnight today. It will not show connections that were started yesterday, even if they are still active today.
The VPN section also shows a table that lists all VPN connections, including the user, internal and external IPs, connection and disconnection times, VPN duration, VPN session type, and a column called details that displays the Sophos event message. The details column usually states the reason for the VPN's disconnection, but for VPN sessions that were not disconnected within the report's time range, it will show the Sophos Event Message for the connection start event, such as 'SSL VPN zone remote user login allowed'.
The green bars in the table give you a visual indication of when a VPN connection started and stopped, relative to other connections.
Like the VPN dashboard, the VPN report section also shows Top VPN Users by Size, but also includes a simple list of VPN Users alphabetically. This makes it easy for managers and IT administrators to easily find how long a specific user was logged in for, and how much traffic they consumed over the VPN connection.
The report also includes Failed Logins showing the Username, Message and Source IP as it does on the VPN Dashboard, but the report also includes the Destination IP (the Sophos IP), which is handy if you have multiple Sophos devices being monitored by Fastvue Reporter, and you need to know which one is receiving a high number of failed login attempts.
Unlike the VPN Dashboard, the VPN section in the report also shows VPN Session Types, such as SSL VPN, IPSec or L2TP, as well as VPN Policies. If you want to view the VPNs that relate to a specific VPN Policy, you can hover over a VPN Policy, then over the green arrow, and run another IT and Network Security report.
If you want to receive these reports every day, week or month, just click the Schedule Report button in the top right corner.
Unfortunately not. Sophos XG has clear, understandable logs of when VPN connections are made and disconnected. The same cannot be said regarding the log files from Sohpos UTM (SG) therefore, we cannot show you VPN connections from Sophos UTM (SG) at this time.
Download and install the latest version of Fastvue Sophos Reporter to access these new features.
If you're new to Fastvue Sophos Reporter, it comes with a free 30-day trial. See our Getting Started Guide for recommended system requirements, simple installation instructions and information on sending log data from your Sophos XG.
If you're upgrading an existing v2.0 installation (see Settings | About), simply download and run the new installer over the top of your existing installation. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).
If you're upgrading from v1.0, please see the Upgrade section on our Getting Started page.
Note that it can take a few minutes for data to start importing again after upgrades and restarts of the Fastvue Reporter service. You can check the database initialisation progress in Settings | Diagnostic | Database.
It's also important to note that you will not see the VPN dashboard populate immediately. This will start populating as soon as new VPN connections are started.
With Fastvue Sophos Reporter new VPN Dashboard and VPN section in the IT and Network Security report, you can monitor the number of active sessions throughout the day to help plan for extra capacity, or use the reports to find who has not connected recently.
You can also easily see when most people connect and disconnect, and proactively respond to unexpected disconnections or excessive invalid login attempts.
What do you think of our new VPN Dashboard and VPN report section? Let us know if we're missing anything in the comments.
Download our FREE 14-day trial, or schedule a demo and we'll show you how it works.
How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)
Sophos XG - How to Block Searches and URLs with Specific Keywords