Home » Cloud » How to capture traffic and create a TCP dump in Sophos UTM 9 firewall using ssh putty client step by step

How to capture traffic and create a TCP dump in Sophos UTM 9 firewall using ssh putty client step by step

This can be very useful when troubleshooting traffic going thru the Sophos Firewall and can also be used to troubleshoot when firewall rules are not working and you need to confirm that traffic is coming to the firewall. This is also valid for an AWS market place Sophos.

you can not test the firewall rules if the traffic is not even hitting the firewall so this is the first step in confirming that traffic is hitting the firewall

The first thing you will need to do is the login using the Web portal using the admin account and password and the portal link should be something like  https://x.x.x.x:8080. the port is set initially set during the install

 

Once you are logged in then you can go to Management –  Systems settings on the left and click on the shell access tab. choose the passwords and turn the access on by clicking the button on the top right

Once the passwords are set then you can start the session using putty and use the  internal IP to login using the loginuser and password and use sudo to get to the privileged level

Below is a command to capture traffic from source host 10.20.20.20 and destination host 102.16.39.41. this confirms if you see the traffic that it is hitting the firewall interfaces and may be getting dropped by a firewall rule

 

AW-Sophos01:/root # tcpdump -veni any host 10.20.20.20  and host 102.16.39.41

This can become very handy when troubleshooting – let me know if this is not accurate and I can update the article

HTH

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*