Scribd
Upload
308 views17 pages

Sophos Firewall Report Troubleshooting

The document discusses troubleshooting reports that are not generating on the Sophos Firewall. It describes the reporting process and key components. It then provides steps to check the report database service, enable on-box reporting, ensure sufficient disk space, and purge old report data if needed. The goal is to methodically check the reporting configuration and system resources to identify and address the root cause of missing reports.

Uploaded by

Ponce
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
308 views17 pages

Sophos Firewall Report Troubleshooting

The document discusses troubleshooting reports that are not generating on the Sophos Firewall. It describes the reporting process and key components. It then provides steps to check the report database service, enable on-box reporting, ensure sufficient disk space, and purge old report data if needed. The goal is to methodically check the reporting configuration and system resources to identify and address the root cause of missing reports.

Uploaded by

Ponce
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Troubleshooting Reports on

Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW8010: Troubleshooting Reports on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Troubleshooting Reports on Sophos Firewall - 1


Troubleshooting Reports on Sophos Firewall
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
process of report generation on We recommend that you have the knowledge up to
Sophos Firewall and how to and included in the Running and Customizing Reports
troubleshoot common issues. on Sophos Firewall chapter.

DURATION

5 minutes

In this chapter you will learn the process of report generation on Sophos Firewall and how to
troubleshoot common issues.

Troubleshooting Reports on Sophos Firewall - 2


Reporting Process

Sophos Firewall Garner Database Entry Reports


Subsystems

• Authentication • Validate event • PostgreSQL • Dashboards


Server thresholds records data • Applications
• Proxies • Forwards • SQLite holds • Network &
• Firewall database the data Threats
• VPN entries events • Email
• IPS • Compliance
• Application • Customs &
Filter Special
• Settings

The reporting process on the Sophos Firewall is made up of four stages.

First, the subsystems of Sophos Firewall produce data that needs to be fed into the reports.

Garner is the logging application on Sophos Firewall that validates event thresholds to indicate if
thresholds have been reached, and forwards events to the databases.

Sophos Firewall uses two database engines, PostgreSQL is the primary database, and SQLite is used
to store event data.

Reports are then processed and are divided into sections so that the administrator can use them to
determine specific information about Sophos Firewall.

Troubleshooting Reports on Sophos Firewall - 3


Reports Are Not Being Generated 1

In this scenario we will look at how to troubleshoot the case where reports are returning no
records when there should be data available.

Troubleshooting Reports on Sophos Firewall - 4


Reports Are Not Being Generated 2

Depending on what the root cause turns out to be, you may also see a lack of reporting data in the
Control center.

Here you can also see that the Services icon is orange, which indicates there is an issue with one or
more services.

Troubleshooting Reports on Sophos Firewall - 5


Reports Are Not Being Generated 2

Clicking on the orange Service icon in the Control center shows that the ‘ReportDB’ service is
stopped.

Troubleshooting Reports on Sophos Firewall - 6


Reports Are Not Being Generated 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service -S | grep -e


postgres -e garner –e reportdb
postgres RUNNING
garner RUNNING
reportdb STOPPED

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service reportdb:start


–ds nosync
200

You can also check the status of the services required for reporting in the advanced shell using the
service command and grep to filter the output. The three services you want to check are
postgres, garner and reportdb.

You can start any stopped services using the command:


service <name of service>:start -ds nosync

Troubleshooting Reports on Sophos Firewall - 7


Reports Are Not Being Generated 2

console> show on-box-reports


Local Reporting : off

console> set on-box-reports on


console> show on-box-reports
Local Reporting : on

In the console you can check that on-box reporting is enabled. This is enabled by default but
should be checked.

The console command is: show on-box-reports


To enable on-box reporting use the console command: set on-box-reports on

Troubleshooting Reports on Sophos Firewall - 8


Reports Are Not Being Generated 2

If the reports that are not returning records are in the past, check the log retention report period in
‘Data management’ to ensure that the data is available and has not expired and been deleted.

Troubleshooting Reports on Sophos Firewall - 9


Reports Are Not Being Generated 2

console> system diagnostics show disk


Partition Utilization(%)
===============================
configuration 13% /conf
content 4%
report 100% /content

/var

Check that there is space on the report partition. You can do this on the console with the
command: system diagnostics show disk

This will output three values for:


1. Configuration, this is stored on the /conf partition
2. Content, this is stored on the /content partition
3. Report, this is stored on the /var partition

Troubleshooting Reports on Sophos Firewall - 10


Reports Are Not Being Generated 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# df -h


Filesystem Size Used Available Use% Mounted on
none 695.6M 2.0M 643.1M 0% /
none 1.9G 12.0K 1.9G 0% /dev
none 1.9G 9.2M 1.9G 0% /tmp
none 1.9G 14.6M 1.9G 1% /dev/shm
/dev/boot 127.7M 33.4M 91.6M 27% /boot
/dev/mapper/mountconf 560.3M 73.2M 483.1M 13% /conf
/dev/content 11.8G 464.4M 11.4G 4% /content
/dev/var 70.7G 70.7G 0 100% /var

You can also check the disk usage from the advanced shell with the command: df -h

In this case we are interested in the /var partition as that is where reporting data is stored.

Troubleshooting Reports on Sophos Firewall - 11


Reports Are Not Being Generated 2

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# du -sh /var/*


.
..
...
....
8.9M /var/tmp
68.8G /var/tslog /log
133.6M /var/u2d
8.0K /var/upload
8.0K /var/waffiles

If there is low or no disk space on the /var partition, you can check where the disk space is being
used on the advanced shell with the command: du -sh /var/*

In this example we can see that /var/tslog is taking up most of the space. This directory is where
the logs are stored that are accessed from /log.

With log rotation and data retention settings on the Sophos Firewall, this type of issue is most
frequently caused by debug logs and packet captures. It is important to always disable debug
logging when you have finished troubleshooting a service.

Troubleshooting Reports on Sophos Firewall - 12


Reports Are Not Being Generated 2

If you need to remove old reporting data from Sophos Firewall this is done in the Report settings
on the Manual purge tab.

You can remove reporting data either by reporting module or for all reports, for a custom duration
(recommended), or purge all reporting data.

We do not recommend purging all reporting data, as recent data may be required for auditing and
troubleshooting purposes.

Troubleshooting Reports on Sophos Firewall - 13


Reports Are Not Being Generated 3

With the services all running, on-box reporting enabled and available disk space, Sophos Firewall
will be able to start generating reports again.

Troubleshooting Reports on Sophos Firewall - 14


Additional Tools

console> system diagnostics show subsystem-info


SERVICE STATUS
=====================================
.
..
...
ReportDB RUNNING
...
..
.
=====================================
Current log usage : 451.9M

You can also check the service status for subsystems from the console using the command:
system diagnostics show subsystem-info

This can be useful so that you do not need to switch back and forth between the console and
advanced shell.

Troubleshooting Reports on Sophos Firewall - 15


Chapter Review

Garner is the logging application on Sophos Firewall that receives and processes events
from the subsystems. Reporting events are stored into the databases and then
processed ready to be queried

The three services required for reporting to work are postgres, garner, and reportdb.
You can check for any stopped services in the Control Center, or via the command line
with service -S | grep -e postgres -e garner –e reportdb

Sophos Firewall stored reporting data is stored in the /var partition, and disk usage can
be checked with the command df -h

Here are the main things you learned in this chapter.

Garner is the logging application on Sophos Firewall that receives and processes events from the
subsystems. Reporting events are stored into the databases and then processed ready to be
queried.

The three services required for reporting to work are postgres, garner, and reportdb. You can check
for any stopped services in the Control Center, or via the command line with service -S | grep -e
postgres -e garner –e reportdb.

Sophos Firewall stored reporting data is stored in the /var partition, and disk usage can be checked
with the command df –h.

Troubleshooting Reports on Sophos Firewall - 18


Troubleshooting Reports on Sophos Firewall - 19

You might also like