sophos iview administrator guide v02

Sophos XG Firewall v 15.01.0 – Release Notes

Sophos iView Administrator Guide v02 For Sophos and Cyberoam Customers

Document Date: November 2015

| Contents | 2

Contents

Introduction............................................................................................................... 4Basics.....................................................................................................................................................................4Accessing Sophos iView...................................................................................................................................... 9Using Online Help..............................................................................................................................................10

Dashboards.............................................................................................................. 11Main Dashboard..................................................................................................................................................11

Allowed Traffic Overview......................................................................................................................11Blocked Traffic Overview...................................................................................................................... 12

Traffic Dashboard............................................................................................................................................... 13Applications.............................................................................................................................................13Application Categories............................................................................................................................14Application Users....................................................................................................................................15Hosts........................................................................................................................................................16Source Countries.....................................................................................................................................17Destination Countries..............................................................................................................................18Allowed Policies..................................................................................................................................... 19Web Categories.......................................................................................................................................20Web Users...............................................................................................................................................21Web Domains..........................................................................................................................................22File Uploaded via Web...........................................................................................................................23Files Uploaded via FTP..........................................................................................................................24Files Downloaded via FTP.....................................................................................................................24FTP Servers.............................................................................................................................................25Mail Traffic Summary............................................................................................................................ 26Mail Senders........................................................................................................................................... 27Mail Recipients....................................................................................................................................... 28Allowed Traffic Summary......................................................................................................................29Web Traffic Summary............................................................................................................................ 30FTP Traffic Summary.............................................................................................................................31

Security Dashboard.............................................................................................................................................32Blocked Hosts......................................................................................................................................... 33Blocked Users......................................................................................................................................... 33Blocked Applications..............................................................................................................................34Blocked Destination Countries...............................................................................................................35Blocked Source Countries...................................................................................................................... 36Blocked Rule ID..................................................................................................................................... 37Blocked Categories................................................................................................................................. 38Blocked Domains....................................................................................................................................39Attacks.....................................................................................................................................................40Viruses.....................................................................................................................................................41Spam Senders..........................................................................................................................................42Spam Recipients......................................................................................................................................43Blocked Traffic Summary...................................................................................................................... 44Virus Summary....................................................................................................................................... 45Spam Summary.......................................................................................................................................46IDP Attacks Summary............................................................................................................................47Content Filtering Blocked Summary......................................................................................................48

| Contents | 3

System Dashboard.............................................................................................................................................. 49CPU Usage..............................................................................................................................................49Memory Usage........................................................................................................................................50Disk Usage..............................................................................................................................................51Event Frequency..................................................................................................................................... 52

System.......................................................................................................................54Network............................................................................................................................................................... 54

Interfaces................................................................................................................................................. 54WAN Link Manager...............................................................................................................................56DNS.........................................................................................................................................................57

Administration.....................................................................................................................................................58Device Access.........................................................................................................................................58Users........................................................................................................................................................58Central Management Integration............................................................................................................ 60Settings.................................................................................................................................................... 61

Configuration.......................................................................................................................................................62Device Group Management....................................................................................................................63Devices.................................................................................................................................................... 63Custom View.......................................................................................................................................... 65Report Scheduling...................................................................................................................................67Bookmark Management..........................................................................................................................69Data Management................................................................................................................................... 70Mail Server..............................................................................................................................................72Log Integrity........................................................................................................................................... 73Authentication Server............................................................................................................................. 73Time & Date...........................................................................................................................................76

Maintenance........................................................................................................................................................ 77Backup Restore....................................................................................................................................... 77Firmware................................................................................................................................................. 79Licensing................................................................................................................................................. 80

Live Logs............................................................................................................................................................ 83Audit Logs.......................................................................................................................................................... 84Diagnostics.......................................................................................................................................................... 86Archives...............................................................................................................................................................89

Archived Files.........................................................................................................................................89Searchable Archived Files...................................................................................................................... 89Archive Backup...................................................................................................................................... 90

| Introduction | 4

Introduction

With the advent of new business technologies and evolving Internet threats, organizations are deploying an increasingnumber of solutions and devices to ensure security and business continuity. This includes firewalls, content filteringsystems, unified threat management solutions, routers, servers, applications, operating systems and more whichgenerate a vast amount of logs.

Sophos iView – Logging and Reporting Solution

Sophos iView is a logging and reporting solution that provides organizations with visibility into their networksacross multiple devices for high levels of security, data confidentiality while meeting the requirements of regulatorycompliance.

Enabling centralized reporting from multiple devices across geographical locations, Sophos iView offers a singleview of the entire network activity. This allows organizations not just to view information across hundreds of users,applications and protocols, it also helps them correlate the information, giving them a comprehensive view of networkactivity.

Sophos iView aggregates log and report data from all your Sophos Firewall, Cyberoam and Sophos UTM Devicesinto a consolidated view of all your network activity. Get a clear picture of what is happening on your network at anytime from a single pane of glass.

Moreover, organizations receive logs and reports related to intrusions, attacks, spam and blocked attempts, bothinternal and external, enabling them to take rapid action throughout their network.

Given below are some of the salient features of Reports:

• At-a-glance flow graphs show usage trends and web activity• The daily summary Executive Report keeps you informed• Report anonymization can hide user identities, where needed• Built-in Syslog support and automated log backup options

BasicsThis section provides basic instructions on how to view Reports, in addition to information on configuration settingsrelated to Reports.

Given below are common screen components used to generate and view reports:

• Date Selection• Records per page• Page Controls• Reports Navigation• Search Reports• Filter Reports• Export to PDF• Export to HTML• Export to MS Excel• Bookmark• Schedule (Add Report Notification)• Info Icon

| Introduction | 5

Date Selection

1.Use icon to select the time interval for which you want to view the reports. By default, the report for thecurrent date is displayed.

2. Click Generate to generate reports for the selected time interval.

Records per chartSelect the number of records (rows) of the report to be displayed per chart from Records per chart. A chart can have aminimum of 5 and a maximum 200 rows.

Note: If the number of records are more than 10, then the reports will be displayed in the form of in-linecharts.

Page ControlsEvery report displays the first page of the report along with total number of pages available for the report.

Use the following controls to navigate through pages:

• :Navigate to the next page• :Navigate to the previous page• :Navigate to the first page• :Navigate to the last page

Reports NavigationNavigation bar on the leftmost side provides access to various modules like Dashboard, Applications, Network &Threats, etc. Each module consists of Level 2 menu items. However, the System module consists of Level 2 andLevel 3 menu items.

| Introduction | 6

Drop-down

Each reports dashboard has two drop-downs i.e. drop-down 1 and drop-down 2, as shown in the image below:

The drop-down 1 includes fellow sub-menu items, while drop-down 2 includes sub-reports, displayed as widgets onthe reports dashboard. For example, in the image above, we've selected User Data Transfer Report as Level 2 sub-menu item. Use the:

• drop-down 1 to view fellow Level 2 sub-menu items falling under the Level 1 menu item i.e. Applications, asshown in the image below:

| Introduction | 7

• drop-down 2 to view sub-reports, displayed as widgets on the reports dashboard, as shown in the image below:

| Introduction | 8

Search ReportsClick icon to perform a search in a given report based on the following search criterion:

• is• is not• contains• does not contain

For example, let's say you want to perform a search for a user with User Name Joseph in Internet Users report underUser Data Transfer Report, given below are sample results using each search criterion:

• is - Displays details of the user Joseph• is not - Displays details of all the users other than Joseph• contains - Displays details of all the users whose User Name or Name contains Joseph• does not contain - Displays details of all the users whose User Name or Name does not contain Joseph

Filter ReportsA report can be further filtered or drilled-down using a specific filtering criteria.

For example, clicking the User Name hyperlink from the Internet Users report under User Data Transfer Reportwill display all the reports specific to the selected user. You can further drill-down the filtered reports by addinganother filtering criteria, let's say - Client Type.

The filter criteria is displayed as:

| Introduction | 9

This means the Internet Users report is filtered to display data only for the user Joseph when logged in through theWeb Client. Click icon to remove any of the filter(s).

Export to PDFClick PDF hyperlink given at the top right of a report to export the report in PDF format.

Export to MS ExcelClick EXCEL hyperlink given at the top right of a report to export the report in MS Excel format.

BookmarkUse this to create a bookmark of a report page at any level of drill- down. Click Bookmark hyperlink given at the topright of a report to create a bookmark of the report page. The created bookmark(s) are displayed under the Bookmarksmenu of the Reports navigation pane.

ScheduleUse this to configure report notification for a report page. Once configured, the Device sends report notification(s) tospecified Email Addresses as per the configured frequency.

Info Icon (i)

The Info Icon beside any report title indicates one of the 3 things:

• Reports for devices running on Sophos Firewall OS• Reports for devices running on CyberoamOS• Does not report for devices running on Sophos UTM 9.x

Accessing Sophos iView

Logon procedure

After successful installation, Sophos - iView needs to be configured to collect the logs in order to generate the reports.

Access Admin Console, a browser-based Interface to configure and manage Sophos-iView as well as view reports.

Web Browser should meet the following requirements:

• Microsoft Internet Explorer 8+• Mozilla Firefox 3.0• Google Chrome• Safari 5.1.2(7534.52.7)+• Opera 15.0.1147.141+

Sophos-iView can be accessed over HTTP protocol. Browse to http://<IP address of the machine on which Sophos -iView is installed i.e. local machine> and log on using default username ‘admin’ and password specified at the timeof installation.

Log out procedure

To avoid unauthorized users from accessing Sophos iView, log off after you have finished working. This will end thesession and exit from Sophos-iView.

| Introduction | 10

Using Online Help

Sophos - iView Online Help is a Web-based help which can be viewed from any of the pages of Web Admin console.It is installed automatically with the software. To view context sensitive (page-specific) help topic:

• Click Help in the top right corner of the screen.• Press F1.

| Dashboards | 11

Dashboards

Sophos-iView displays the Main Dashboard as soon as you log on to the Admin Console. Dashboards provide anoverall view of the network traffic including application, web and mail traffic including what is happening on thenetwork, such as top attacks or top spammers.

iView consists of following Dashboards:

• Main Dashboard• Traffic Dashboard• Security Dashboard• System Dashboard

Main Dashboard

Main Dashboard provides summary of allowed and denied traffic for the selected Sophos UTM, Cyberoam and/orSophos Firewall device(s) integrated with iView.

Main Dashboard provides a quick overview of top allowed and denied traffic of network including Web, FTP, mail,database and other applications.

It displays graphical and tabular overview of allowed and denied traffic of the top traffic generating applications forall the added devices in a Widget form.

Widget displays report in graphical as well as tabular format. By default, the report is displayed for the current date.Report date can be changed through the Calendar available on the topmost row of the page.

Allowed Traffic Overview

Blocked Traffic Overview

Allowed Traffic Overview

Allowed Traffic Overview displays amount of data transferred by the top six traffic-generating applications for thedevices.

The dashboard reports are displayed using a graph as well as in a tabular format. By default, the report is displayedfor the current date. The report date can be changed from the Date Selection Panel.

Bar graph displays amount of data transferred by top applications while tabular report contains following information:

• Device: Name of the device as defined in Sophos-iView.• Applications (e.g. Web, SSL, POP3 etc as shown in the below given screen): Amount of data transfer through

each application.• Others: Amount of data transfer through other applications.

Click Device hyperlink to view the Device-specific Traffic Dashboard for a particular Device.

| Dashboards | 12

Figure 1: Allowed Traffic Dashboard

Blocked Traffic Overview

Blocked Traffic Overview widget displays denied connection for the top five applications for each device.

The dashboard reports are displayed using a graph as well as in a tabular format. By default, the report is displayedfor the current date. The report date can be changed from the Date Selection Panel.

Bar graph displays amount of denied traffic by IPS attacks, spam, virus, firewall and content filtering while tabularreport contains following information

• Device: Name of the device as defined in Sophos-iView.• Content Filtering Denied: Number of blocked Web access attempts.• Firewall Denied: Number of blocked firewall rule attempts.• IDP Attack: Number of Intrusion attack attempts.• Spam: Number of blocked spam attempts.• Virus: Number of blocked virus attempts.

Click Device hyperlink to view the Security Dashboard for a particular Device.

| Dashboards | 13

Figure 2: Blocked Traffic Overview

Traffic DashboardThe Traffic Dashboard is a collection of widgets displaying comprehensive summary of the network traffic in termsof applications, web categories, users, hosts, source and destination countries, mail traffic and FTP activities.

The Traffic Dashboard consists of following reports in the form of widgets:

• Applications• Applications Categories• Application Users• Hosts• Source Countries• Destination Countries• Allowed Policies• Web Categories• Web Users• Web Domains• Files Uploaded via Web• Files Uploaded via FTP• Files Downloaded via FTP• FTP Servers• Mail Traffic Summary• Top Mail Senders• Top Mail Recipients• Allowed Traffic Summary• Web Traffic Summary• FTP Traffic Summary

ApplicationsThis Report displays the list of applications along with application wise distribution of total data transfer and relativepercentage distribution amongst those applications.

View the report by selecting Applications from drop-down 2 at the top left corner of the screen.

| Dashboards | 14

The report is displayed using a pie chart as well as in a tabular format. By default, the report is displayed for thecurrent date. The report date can be changed from the Date Selection Panel.

The pie chart displays percentage distribution of data transfer per application, while the tabular report contains thefollowing information:

• Application/Proto:Port: Name of the application. If the application is not defined in the Device, then this fielddisplays the application identifier as a combination of protocol and port number.

• Category: Name of application category as defined in the Device.• Risk: Risk level associated with the application. This is a numeric value. Higher value represents higher risk.• Bytes: The amount of data transferred per application.• Percent: The amount of data transfer per application, in percentage.

Click Application hyperlink in the table or the pie chart to view the Filtered Reports.

Figure 3: Applications

Application CategoriesThis Report displays the list of top application categories along with category wise distribution of the total datatransfer and relative percentage distribution among those categories

View the report by selecting Applications Categories from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per application category, while the tabular reportcontains following information:

• Category: Name of the Application category as defined in the Device.• Bytes: Amount of data transferred.• Percent: Amount of data transfer in percentage.

Click Category hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 15

Figure 4: Application Categories

Application UsersThis Report displays list of top users along with the amount of traffic generated for various applications, hosts,destinations, domains and categories.

View the report by selecting Application Users from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per user, while the tabular report contains followinginformation:

• User: Username of the user as defined in the Device. If the User is not defined, then it will display ‘N/A’ whichmeans the traffic is generated by an undefined user.

• Bytes: Amount of data transferred.• Percent: Amount of data transfer in percentage.

Click User hyperlink in the table or the pie chart to view the Filtered Reports

| Dashboards | 16

Figure 5: Application Users

HostsThis Report displays the list of top hosts along with host wise distribution of total data transfer and relative percentagedistribution amongst those hosts.

View the report by selecting Hosts from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per host, while the tabular report contains followinginformation:

• Host: IP Address of the host.• Bytes: Amount of data transferred.• Percent: Amount of data transfer in percentage.

Click the Host hyperlink in table or the pie chart to view the Filtered Reports.

| Dashboards | 17

Figure 6: Hosts

Source CountriesThis Report displays the list of source countries from where the Internet traffic is originated along with the countrywise distribution of total data transfer and relative percentage distribution amongst those countries.

View the report by selecting Source Countries from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per source country, while the tabular report containsfollowing information:

• Country: Name of the country. Note that country association is not applicable to local hosts and N/A is displayedin such cases.


Click the Source Country hyperlink in table or the pie chart to view the Filtered Reports

| Dashboards | 18

Figure 7: Source Countries

Destination CountriesThis Report displays the list of destination countries where the web traffic is directed along with country wisedistribution of the total data transfer and relative percentage distribution amongst those countries.

View the report by selecting Destination Countries from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per destination country, while the tabular reportcontains following information:

• Country: Name of the country. Note that country association is not applicable to local hosts and <> is displayed insuch cases.


Click the Destination Country hyperlink in table or the pie chart to view the Filtered Reports.

| Dashboards | 19

Figure 8: Destination Countries

Allowed PoliciesThis Report displays the list of rules along with rule wise distribution of the total data transfer and relative percentagedistribution amongst those rules.

View the report by selecting Allowed Policies from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per Firewall Rule ID, while the tabular report containsfollowing information:

• Rule ID: Firewall Rule ID.• Bytes: Amount of data transferred.• Percent: Amount of data transfer in percentage.

Click the Rule ID hyperlink in the table or the pie chart to view the Filtered Reports

| Dashboards | 20

Figure 9: Allowed Policies

Web CategoriesThis Report displays the list of top web categories along with category wise distribution of total data transfer andrelative percentage distribution amongst those categories.

View the report by selecting Web Categories from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per web category, while tabular report containsfollowing information:

• Category: Name of the Web category, as defined in the Device.• Hits: Number of Hits to the Web category.• Percent: Amount of data transfer in percentage.

Click the Category hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 21

Figure 10: Web Categories

Web UsersThis Report displays the list of Web users along with user wise distribution of total data transfer and relativepercentage distribution amongst those Web users.

View the report by selecting Web Users from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per user, while the tabular report contains followinginformation:

• User: Username of the user as defined in the Device. If the User is not defined then it will display ‘N/A’ whichmeans the traffic is generated by an undefined user.


Click the User hyperlink in the table or the pie chart to view the Filtered Reports

| Dashboards | 22

Figure 11: Web Users

Web DomainsThis Report displays the list of domains along with domain wise distribution of the total data transfer and the relativepercent distribution amongst those domains.

View the report by selecting Web Domains from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per domain, while the tabular report contains followinginformation:

• Domain: Displays the name of the domain.• Bytes: Amount the of data transfer.• Percent: Displays the amount of data transfer in percentage.

Click the Domain hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 23

Figure 12: Web Domains

File Uploaded via WebThis Report displays the list of File Uploaded via web along with date, user, domain name, size and source fromwhich it was uploaded.

View the report by selecting File Uploaded via Web from drop-down 2 at the top left corner of the screen.


Tabular report contains the following information:

• Date: Date of file upload.• Users: Name of the user.• Source IP: IP Address of the source.• Domain name: Name of the domain where file has been uploaded.• File name: Name of the file.• Size: Size of the file.

Figure 13: File Uploaded via Web

| Dashboards | 24

Files Uploaded via FTPThis Report displays the list of the files uploaded via FTP with file wise distribution of the total data transfer and therelative percentage distribution amongst those files.

View the report by selecting File Uploaded via FTP from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per uploaded file, while the tabular report contains thefollowing information:

• File: Name of the top file uploaded via FTP.• Bytes: Size of the top uploaded files.• Percent: Relative percent distribution among the top files uploaded via FTP.

Click the File hyperlink in the table or the pie chart to view the Filtered Reports.

Figure 14: Files Uploaded via FTP

Files Downloaded via FTPThis Report displays list of the files downloaded via FTP along with file wise distribution of the total data transfer andrelative percent distribution among those files.

View the report by selecting File Downloaded via FTP from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per downloaded file, while the tabular report containsthe following information:

• File: Name of the top file downloaded via FTP.• Bytes: Size of the top downloaded files.• Percent: Relative percent distribution among the top files downloaded via FTP.

| Dashboards | 25

Click the File hyperlink in the table or the pie chart to view the Filtered Reports.

Figure 15: Files Downloaded via FTP

FTP ServersThis Report displays a list of FTP servers along with data transfer per server along with relative percent distributionamong the FTP servers.

View the report by selecting FTP Servers from drop-down 2 at the top left corner of the screen.


The pie chart displays percentage distribution of data transfer per server, while the tabular report contains followinginformation:

• Server: Name of the FTP server.• Bytes: Total data transfer via FTP server.• Percent: Relative percent distribution among the FTP servers.

Click the Server hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 26

Figure 16: FTP Servers

Mail Traffic SummaryThis Report displays type of Email traffic along with number of bytes and percentage distribution amongst the traffictype.

View the report by selecting Mail Traffic Summary from drop-down 2 at the top left corner of the screen.


The pie chart displays relative percentage distribution of traffic types, while the tabular report contains the followinginformation:

• Traffic: The type of Email traffic. Possible types are :

• Clean Mail• Spam• Probable Spam• Virus

• Hits: The number of hits per Email traffic type.• Percent: Relative percentage distribution among the traffic types.

Click the Traffic hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 27

Figure 17: Mail Traffic Summary

Mail SendersThis Report displays the list of top Email senders along with the number of hits that generated the most traffic forvarious users, destinations, hosts and applications.

View the report by selecting Mail Senders from drop-down 2 at the top left corner of the screen.


The Bar graph displays the relative percentage distribution of data transferred by each sender while the tabular reportcontains following information:

• Sender: Email ID of the sender.• Hits: Number of Hits to the sender.• Bytes: Amount of data transferred.

Click the Sender hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 28

Figure 18: Mail Senders

Mail RecipientsThis Report displays list of top Email recipients along with the number of hits that generated the most traffic forvarious users, destinations, hosts and applications.

View the report by selecting Mail Recipients from drop-down 2 at the top left corner of the screen.


The Bar graph displays the relative percentage distribution of data transferred by each recipient while the tabularreport contains following information:

• Recipient: Email ID of the recipient.• Hits: Number of Hits to the recipient.• Bytes: Amount of data transferred.

Click the Recipient hyperlink in the table or the pie chart to view the Filtered Reports.

| Dashboards | 29

Figure 19: Mail Recipients

Allowed Traffic Summary

Report displays list of top Web protocols along with number of bytes and percentage of the traffic.

View report from Traffic Dashboard.

Report is displayed as graph as well as in tabular format.


Pie chart displays amount of data transferred and percentage wise distribution of data transfer per Web Trafficprotocol while tabular report contains following information:

• Allowed Traffic: Allowed traffic protocol.• Bytes: Amount of data transferred.• Percent: Relative percent distribution among allowed protocols.

| Dashboards | 30

Figure 20: Allowed Traffic Summary

Web Traffic Summary

Report displays list of top web traffic along with number of bytes and percentage of the traffic.


The report is displayed using a pie chart as well as in a tabular format. The pie chart displays amount of data per WebTraffic type.

By default, the report is displayed for the current date. The report date can be changed from the Date Selection Panel.

Pie chart displays amount of data transferred and percentage wise distribution of data transfer per Web Traffic typewhile tabular report contains following information:

• Traffic: Type of Web Traffic. Possible Types: CF Allowed, CF Denied, Virus.• Bytes: Amount of data transferred.• Percent: Relative percent distribution among the top web traffic types.

| Dashboards | 31

Figure 21: Web Traffic Summary

FTP Traffic Summary

Report displays list of top FTP traffic along with number of bytes and percentage of the traffic.


Report is displayed as pie chart. The chart displays amount of data FTP traffic type.


Chart displays amount of data transferred and percentage wise distribution of data transfer per FTP traffic type whiletabular report contains following information:

• Traffic: Type of FTP traffic. Possible Types: Clean FTP, Virus.• Bytes: Amount of data transferred.• Percent: Relative percent distribution among the top FTP traffic types.

| Dashboards | 32

Figure 22: FTP Traffic Summary

Security DashboardThe Security dashboard is a collection of widgets displaying information regarding the denied network activities andtraffic. It also gives an overview of malware, spam as well as top source and destination countries.

View the dashboard from Reports > Dashboard > Security Dashboard.

The Security Dashboard consists of following reports in widget form:

• High Risk Applications• High Risk Application Users• Blocked Applications• Blocked Application Users• Objectionable Web Categories• Objectionable Web Domains• Blocked Web Categories• Blocked Web Domains• Objectionable Web Users• Blocked Web Users• Hosts - ATP• Users - ATP• Advanced Threats• Client Insights - ATP• Intrusion Attacks• Attackers• Virus Summary• Spam Senders• Spam Recipients• Detailed View - Client Health• Blocked Network Access• Attacked Web Servers• Web Server Attacks

| Dashboards | 33

Blocked Hosts

Report displays a list of top hosts which made the maximum attempts to access the blocked sites.

View report from Security Dashboard.

Report is displayed using a pie chart as well as in tabular format.


Pie chart displays number of hits and percentage wise distribution of hits per denied host while tabular report containsfollowing information:

• Host: IP address of the hosts.• Hits: Number of attempts to access the blocked site.• Percent: Relative percent distribution among the denied hosts.

Click Host hyperlink in the table or the pie chart to view the Filtered Reports.

Figure 23: Top Blocked Hosts

Blocked UsersThis Report displays a list of users who made the maximum attempts to access blocked applications.

View the report by selecting Blocked Users from drop-down 2 at the top left corner of the screen.


The pie chart displays relative percentage distribution of number of hits amongst the denied users, while the tabularreport contains following information:

• User: Name of the denied user as defined in the Device.• Hits: Number of attempts by a particular user to access blocked application(s).• Percent: Relative percentage distribution amongst the denied users.

Click the User hyperlink in the table or the pie chart to view Filtered Reports.

| Dashboards | 34

Figure 24: Blocked Users

Blocked ApplicationsThis Report displays a list of blocked applications which have the maximum number of access attempts.

View the report by selecting Blocked Applications from drop-down 2 at the top left corner of the screen.


The pie chart displays the percentage distribution of number of hits amongst the denied applications while the tabularreport contains the following information:

• Application/Protocol: Displays the name of the application as defined in the Device. If application is not defined,then this field will display the application identifier as a combination of protocol and port number.

• Category: Name of the application category as defined in the Device.• Risk: Risk level associated with the application. The risk level is a numeric value. A higher value represents

higher risk.• Hits: Number of attempts to access the application.• Percent: Relative percentage distribution amongst denied applications.

Click the Application hyperlink in table or pie chart to view Filtered Reports.

| Dashboards | 35

Figure 25: Blocked Applications

Blocked Destination Countries

This Report displays a list of countries to where the maximum volume of Internet traffic is denied along with numberof hits per country.

View the report by selecting Blocked Destination Countries from Security Dashboard.

The report is displayed using a graph as well as in a tabular format. By default, the report is displayed for the currentdate. The report date can be changed from the Date Selection Panel.

Bar graph displays list of denied destination Countries along with number of hits while tabular report containsfollowing information:

• Country: Name of the country. Note that country association is not applicable to local hosts and N/A is displayedin such cases.

• Hits: Number of hits per host.

To view the granular reports for a particular Destination Country, filter by clicking the Destination Country hyperlinkin the table. Refer to Filtered Blocked User Apps section for details on each filtered widget.

| Dashboards | 36

Figure 26: Blocked Destination Countries

Blocked Source Countries

This Report displays a list of countries from where the maximum volume of Internet traffic is denied along withnumber of hits per country.

View the report by selecting Blocked Source Countries from Security Dashboard.


Bar graph displays list of denied source Countries along with number of hits while tabular report contains followinginformation:

• Country: Name of the Country. Note that country association is not applicable to local hosts and N/A is displayedin such cases.

• Hits: Number of hits per host.

To view the granular reports for a particular Source Country, filter by clicking the Source Country hyperlink in thetable. Refer to Filtered Blocked User Apps section for details on each filtered widget.

| Dashboards | 37

Figure 27: Blocked Source Coluntries

Blocked Rule ID

This Report displays a list of firewall rule ID along with number of hits per firewall rule.

View the report by selecting Blocked Rule ID from Security Dashboard.


Bar graph displays list of firewall rule IDs along with number of hits while tabular report contains followinginformation:

• Rule ID: Number displaying firewall rule ID.• Hits: Number of hits per firewall rule.• Percent: Percentage of traffic for each rule.

To view the granular reports for a particular Policy Rule, filter by clicking the Policy Rule hyperlink in the table.Refer to Filtered Blocked User Apps section for details on each filtered widget.

| Dashboards | 38

Figure 28: Blocked Rule ID

Blocked CategoriesThis Report displays a list of blocked web categories that various users tried to access and the number of accessattempts to each category.

View the report by selecting Blocked Categories from drop-down 2 at the top left corner of the screen.

Note: You can view this report from Security Dashboard as well.


The bar graph displays list of categories along with number of hits per category while the tabular report contains thefollowing information:

• Category: Name of the category.• Hits: Number of hits per category.

Click the Category hyperlink in table or pie chart to view Filtered Reports.

| Dashboards | 39

Figure 29: Blocked Web Categories

Blocked DomainsThis Report displays the list of blocked web domains that various users tried to access and the number of accessattempts to each domain.

View the report by selecting Blocked Domains from drop-down 2 at the top left corner of the screen.

Note: You can view this report from Security Dashboard as well.


The bar graph displays the list of domains along with number of hits per domain while tabular report contains thefollowing information:

• Domain: Name of the domain.• Hits: Number of Hits.

Click the Domain hyperlink in table or pie chart to view Filtered Reports.

| Dashboards | 40

Figure 30: Blocked Web Domains

Attacks

The Report enables to view the details of the attack that has hit the system and gives the detailed disintegration ofattackers, victims and applications through individual reports.

View the report by selecting Intrusion Attacks from drop-down 2 at the top left corner of the screen.


The bar graph displays the number of hits under each attack, while the tabular report contains the followinginformation:

• Attack: Name of the attack launched.• Hits: Number of hits for each attack.• Percent: Percent of each attack as compared to all attacks.

To view granular reports for a particular attack, filter by clicking the Attack hyperlink in the table. Refer to FilteredIntrusion Attacks Reports section for details on each filtered widget.

| Dashboards | 41

Figure 31: Attacks

VirusesThis Report lists viruses blocked by the Device as well as number of occurrence per blocked virus.

View the report by selecting Virus from drop-down 2 at the top left corner of the screen.


The bar graph displays blocked web viruses along with number of counts per virus while the tabular report containsthe following information:

• Virus: Name of the blocked web virus.• Count: Number of times a virus was blocked.• Percent: Percent of each virus as compared to total viruses found.

To view granular reports for a particular Virus, filter by clicking the Virus Name hyperlink in the table. Refer toFiltered Blocked Web Attempts Report - Virus section for details on each filtered widget.

| Dashboards | 42

Figure 32: Viruses

Spam SendersThis Report displays a list of Spam Senders along with number of hits and percent distribution among the spamsenders.

View the report by selecting Spam Senders from drop-down 2 at the top left corner of the screen.


The Pie chart displays a percentage-wise distribution of spam per sender while the tabular report contains thefollowing information:

• Sender: Email ID of the sender.• Hits: Number of hits to the sender.• Percent: Relative percent distribution among the spam sender.

Click the Sender hyperlink in the table or the chart to view the Filtered Reports.

| Dashboards | 43

Figure 33: Spam Senders

Spam RecipientsThis Report displays a list of Spam Recipients along with number of hits and percent distribution among the spamrecipients.

View the report by selecting Spam Recipients from drop-down 2 at the top left corner of the screen.


The Pie chart displays a percentage-wise distribution of spam per recipient while the tabular report contains thefollowing information:

• Recipient: Email ID of the recipient.• Hits: Number of hits to the recipient.• Percent: Relative percent distribution among the spam recipients.

Click the Recipient hyperlink in the table or the chart to view the Filtered Reports.

| Dashboards | 44

Figure 34: Spam Recipients

Blocked Traffic Summary

Report displays list of denied traffic types along with number of hits and relative percentage distribution.

View report from Security Dashboard.

Report is displayed using a pie chart as well as in tabular format.


Pie chart displays number of hits and percentage wise distribution of hits per denied traffic type while tabular reportcontains following information:

• Traffic: Blocked traffic type.• Hits: Number of hits per blocked traffic type.• Percent: Relative percent distribution among the blocked traffic type.

| Dashboards | 45

Figure 35: Blocked Traffic Summary

Virus SummaryThis Report provides an overview of Virus traffic in your network, in terms of protocols through which viruses wereintroduced in the network as well as number of counts per protocol.

View the report by selecting Virus Summary from drop-down 2 at the top left corner of the screen.


The pie chart displays number of counts per protocol through which viruses were introduced in the network, while thetabular report contains following information:

• Application/Proto:Port: Name of the protocol through which viruses were introduced in the network.• Count: Number of counts per protocol.

| Dashboards | 46

Figure 36: Virus Summary

Spam Summary

Report displays list of spam protocols along with number of hits and relative percentage distribution.

View report from Security Dashboard. Report is displayed using a pie chart as well as in tabular format.


Pie chart displays number of hits and percentage wise distribution of hits per spam protocol while tabular reportcontains following information:

• Application: Name of the protocol.• Hits: Number of hits per protocol.• Percent: Relative percent distribution among the application protocol.

| Dashboards | 47

Figure 37: Spam Summary

IDP Attacks Summary

Report displays list of IDP attacks along with number of hits and relative percentage distribution.



Pie chart displays number of hits and percentage wise distribution of hits per IDP attack type while tabular reportcontains following information:

• Attack Type: Displays type of attacks.• Hits: Number of hits per attack type.• Percent: Relative percent distribution among the attack types.

| Dashboards | 48

Figure 38: IDP Attacks Summary

Content Filtering Blocked Summary

Report displays list of applications denied by Content Filtering along with number of hits and relative percentagedistribution.



Pie chart displays number of hits and percentage wise distribution of hits per protocol denied by Content Filteringmodule while tabular report contains following information:

• Application: Protocol denied by Content Filtering module.• Hits: Number of hits per denied protocol.• Percent: Relative percent distribution among the denied protocols.

| Dashboards | 49

Figure 39: Content Filtering Blocked Summary

System Dashboard

Sophos - iView dashboard gives overview of main components of Sophos - iView. This page displays followinginformation:

• CPU Usage• Memory Usage• Disk Usage• Event Frequency

CPU Usage

View the report by selecting CPU Usage from drop-down 2 at the top left corner of the screen.

The report is displayed using a pie chart as well as in a tabular format. By default, the report is displayed for thecurrent date. The report date can be changed from the Date Selection Panel

Tabular report contains following information:

• CPU: State of CPU as Idle or Used.• Percent: Percentage wise distribution of CPU state.

To view CPU Usage Details drill down by clicking the CPU hyperlink in the table.

Figure 40: CPU Usage

| Dashboards | 50

Detailed CPU Usage Report

Report displays trend of CPU usage. View report from Dashboard > System Dashboard > CPU Usage Widget >CPU


• Time: Time in (YYYY-MM-DD HH:MM:SS) format.• Usage: CPU usage corresponding to time.

Figure 41: Detailed CPU Usage Report

Memory Usage

View the report by selecting Memory Usage from drop-down 2 at the top left corner of the screen.



• Memory: Status of Sophos-iView memory as used and free.• Usage: Usage of memory.

To view Memory Usage Details drill down by clicking the memory hyperlink in the table.

Figure 42: Memory Usage

Detailed Memory Usage Report

Report displays trend of memory usage. View report from Dashboard > System Dashboard > Memory Usagewidget > Memory.


| Dashboards | 51

• Time: Time in (YYYY-MM-DD HH:MM:SS) format.• Usage: Memory usage corresponding to time.

Figure 43: Detailed Memory Usage Report

Disk Usage

View the report by selecting Disk Usage from drop-down 2 at the top left corner of the screen.



• Disk: Name and status of disk used to store database and archive logs.• Usage: Disk usage

To view Disk Usage Details drill down by clicking the Disk hyperlink in the table.

| Dashboards | 52

Figure 44: Disk Usage

Detailed Disk Usage Report

Report displays trend of disk usage in the form of database and archive usage. View report from Dashboard >System Dashboard > Disk Usage > Disk.


• Time: Time in (YYYY-MM-DD HH:MM:SS) format.• Usage: Disk usage corresponding to time.

Figure 45: Detailed Disk Usage Report

Event Frequency

View the report by selecting Event Frequency from drop-down 2 at the top left corner of the screen.



• Time: Displays average time slot.

| Dashboards | 53

• Events per minute: Displays event per minutes for time slot.

To view Device wise Event Frequency drill down by clicking the Timehyperlink in the table.

Figure 46: Event Frequency

Detailed Event Frequency Report

Report displays device wise event frequency. View report from Dashboard > iView Dashboard > Event Frequencywidget > Time.

Graph displays number of events based on time slots while tabular report contains following information:

• Time: Time in (YYYY-MM-DD HH:MM:SS) format.• Device: Device ID.• Events: Number of events per device.

Figure 47: Detailed Event Frequency Report

| System | 54

System

System allows configuration for the following:

Available configurations:

• Network - Network menu establishes how your Sophos-iView device connects, interacts with your network, andallows configuring network specific settings.

• Administration - Administration provides options to configure general settings and administrative settings for thedevice.

• Configuration - Configuration allows you to add network devices to Sophos -iView, configure Sophos -iView forgenerating reports for added devices and customize Sophos -iView as per requirement.

• Maintenance - Maintenance facilitates handling firmware versions, licensing services, updates and Backup &Restore.

• Live Logs - Live Logs allows viewing of the most recent log received from the selected device without loading thearchive log file.

• Audit Logs - Audit logs are required to ensure accountability, security and problem detection of a system.• Diagnostics - Diagnostics allows viewing of statistics to diagnose the connectivity problem, network problem and

test network communication.• Archives - Archives provides historical archived logs to provide historical view of network activities.

Network

Use Network pages to configure Sophos iView Device to operate in your network.

This section covers the following topics:

• Interface - Configure and manage the ports/interfaces of the device.• DNS - Manage DNS servers to be used by the Device.• WAN Link Manager - Manage device's WAN Link.

InterfacesThe Interfaces page contains a list of all the interfaces of the device and displays each of their configuration.

System > Network > Interface

The device is shipped with a number of physical interfaces/ports. The Interface page displays a list of physicalinterfaces and aliases.

Using this page, the physical interfaces can be configured. This page also allows you to configure Alias for eachinterface.

• Alias – Alias allows binding multiple IP addresses to a single physical interface.

Note:

• Updating interface details may affect dependent configurations including DNS and gateway.

Add Alias

Alias allows binding multiple IP addresses onto a single interface. This page describes how to add/edit an Alias.

1. Navigate to System > Network > Interfaces, click Add Alias.2. Enter interface details.

| System | 55

Physical InterfaceSelect the interface for which an Alias should be bound.

IP FamilySelect the IP family for the Alias.Available Options:IPv4 (Only for physical interfaces with IPv4 configuration)IPv6 (Only for physical interfaces with IPv6 configuration)

IPv4/Netmask (Available only for IPv4)Specify the IPv4 address and select the network subnet mask.

IPv6/Prefix (Available only for IPv6)Specify the IPv6 address and the prefix.Default - 64

Figure 48: Alias3. Click Save.

Edit Interface

This page allows you to change IP address and sub netmask of the Interface and gateway (if defined).

1. Navigate to System > Network > Interface and click on the required Interface.2. Enter general settings details.

Physical InterfacePhysical Interface for example, Port A, Port B. It cannot be modified.

IPv4/NetmaskSpecify IP Address and Netmask for the IPv4 Interface.

IPv6/PrefixSpecify IP Address and Prefix for the IPv6 Interface.

Gateway NameSpecify name of the gateway (It is available only when the gateway is defined on the interface)

IP AddressSpecify IP Address of the gateway.

IPv6 Address (Available if IPv6 Configuration is enabled)Specify IPv6 Address of the gateway.

| System | 56

Figure 49: General Settings3. Enter advanced setting details.

Interface SpeedSelect Interface speed for synchronization.Speed mismatch between Firewall Manager and 3rd party routers and switches can result into errors orcollisions on interface, no connection, traffic latency or slow performance.Available Options:Auto Negotiate10 Mbps - Full duplex10 Mbps - Half duplex100 Mbps - Full duplex100Mbps - Half duplex1000 Mbps - Full duplex1000 Mbps - Half duplexDefault - Auto Negotiate

MTUSpecify MTU value (Maximum Transmission Unit)MTU is the largest physical packet size, in bytes, that a network can transmit. This parameter becomes anissue when networks are interconnected and the networks have different MTU sizes. Any packets larger thanthe MTU value are divided (fragmented) into smaller packets before being sent.Default - 1500Input range - 576 to 1500

Figure 50: Advanced Settings4. Click Save to save the settings.

WAN Link Manager

WAN Link routes traffic between the networks. By default, Firewall Manager supports only one WAN Link.You must have configured the IP address for a default WAN Link at the time of deployment. You can change thisconfiguration any time if required.

To configure WAN Link, go to System > Network > WAN Link Manager

| System | 57

Edit WAN Link

This page allows you to edit the WAN Link.

1. Navigate to System > Network > WAN Link Manager2. Select the Gateway which you want to update.3. Modify the gateway details.

NameGateway Name

IPv4 AddressSpecify IP Address

IPv6 AddressSpecify IPv6 Address

InterfaceSpecify Ethernet Port number that is to act as a Gateway.

Figure 51: WAN Link4. Click Save to save the settings.

DNS

The Domain Name System (DNS) is a system that provides a method for identifying hosts on the Internet usingalphanumeric names called fully qualified domain names (FQDNs) instead of using difficult to remember numeric IPaddresses. In other words, it translates domain names to IP addresses and vice versa.

DNS server is configured at the time of deployment. You can add additional IP addresses of the DNS servers to whichdevice can connect for name resolution. When multiple DNS are configured, they are queried in the order as they areentered.

To configure DNS, go to System > Network > DNS.

DNS List IPv4Specify the DNS IP Address based on priority in DNS 1, DNS 2 and/or DNS 3.

Click Apply after adding new IP address to the DNS list.

Figure 52: DNS

| System | 58

AdministrationAdministration provides options to configure general settings of the device.

Available configurations:

• Appliance Access: Appliance access allows limiting the administrative access of the device services .• User Management: User Management allows to configure and maintain administrators, set user's administrative

access, password maintenance.

• Central Management Integration: Central Management allows managing and monitoring the device throughCentral Management if deployed in your organization.

Device Access

Device access allows limiting the Administrative access of the following device services from various Interfaces/Ports: HTTP, HTTPS, Telnet, SSH, ICMP, Syslog, SyslogS

Default Access Control Configuration

When device is connected and powered up for the first time, it will have a default Access configuration.

HTTP (TCP port 80), HTTPS (TCP port 443), Telnet (TCP port 23), SSH (TCP port 22), ICMP, Syslog and SyslogSservices will be enabled for Port A and Port B.

Updating Default Access Control Configuration

Use access control to limit the access to the device for administrative purposes from the specific authenticated/trustednetworks only. Enable/disable access to the device using following service from the specified zone: HTTP, HTTPS,Telnet, SSH, ICMP, Syslog and SyslogS.

Figure 53: Device Access

Users

Use the System > Administration > Users page to configure and maintain administrators, set user's administrativeaccess, password maintenance.

Screen components:

• Username: Login name preferred by the user.• Name: Name of the user.• Role: Role defines administrative access privilege.• Email: Email address of the user.

| System | 59

• Created By: Username of the Administrator who added this user.• Last Login Time: Last time when the user had logged in.• Add button: Click to add a new user.• Delete button: Click to delete a user.

Sophos -iView supports Three (3) types of user roles:

• Super Admin – Default account. No additional account can be created.• Admin - Only administrator with the Super Admin role can add Admin roles.• Viewer - Adminsitrator with Super Admin and Admin roles can add Viewer roles.

Below given table lists the various privileges associated with the each user type.

Super AdminFor all the devices AdminOnlyforassigneddevices

ViewerOnlyfor assigneddevice

Add Update Delete View Add Update Delete View Add Update Delete View

Mail ServerConfiguration

Y Y Y Y N N N N N N N N

User Management Y Y Y Y Y Y Y Y N N N N

Device Management Y Y Y Y N N N N N N N N

Device GroupManagement

Y Y Y Y N N N N N N N N

Custom View Y Y Y Y Y Y Y Y N N N N

Report NotificationSettings

Y Y Y Y Y Y Y Y N N N N

Data Management Y Y Y Y N N N N N N N N

Bookmark Management Y Y Y Y Y Y Y Y Y Y N Y

Authentication Server Y Y Y Y - N - N - N - N

Chart Preferences Y Y Y Y - N - N - N - N

Audit Logs - - - Y - - - Y - - - N

Super AdminFor all the devices AdminOnlyforassigneddevices

ViewerOnlyfor assigneddevice

Load and Search Archive Y Y N

View Live Logs Y Y N

View and Search Reports Y Y Y

Dashboards (Main,Device, User, Host, EmailAddress, iView)

Y Y Y

Add/Edit User

1. Go to System > Administration > Usersand click Add.2. Specify name of the user.

| System | 60

3. Specify username, which uniquely identifies the user and will be used for login. Username can be anycombination of alphanumeric characters and special characters “_”, “@” and “.”.

4. Specify authentication type. Possible authentication types: Local and External.5. Specify password. Password is case sensitive.6. Specify a valid Email ID. The Email ID can be any combination of alphanumeric characters and special characters

“_”, “@” and “.”.7. Select user role from the drop down. Roles define administrative access privilege. Refer to Privilege Matrix for

details.8. Select the device or device group, which the user can manage. Click checkbox against the device/device group(s)

OR click Select All to select all device/device group(s).9. Click Save to add the user. Depending on the role, user will be able to configure and view the information of the

selected devices only.

Figure 54: User

Delete User

1. Go to System > Administration > Users.2. Click checkbox against the user(s) to be deleted OR click the checkbox against Username column name to delete

all the users.3. Click Delete.

Central Management Integration

This page allows the administrator to configure necessary parameters required to integrate iView with third partysolutions like Sophos Firewall Manager (SFM).

1. Go to System > Administration > Central Management Integration.2. Specify name of the third party solution to be integrated.3. Enter the Third Party Solution URL. Example: https://{ip address of the third-party solution}/{controller

path}4. Specify the HTTP method to be used to communicate solution.

Available Options:

| System | 61

PostGet

5. Enter Response Parameters provided by your Third Party Solution Provider. Example: https://{ip address of thethird-party solution}/{controller path}

Name Value

username {uname}

uniqueid {uid}

Note: Parameter value of username and uniqueid must be enclosed within curly braces.

6. Click Save to save the configuration.

Figure 55: Central Management Integration

Settings

This page allows you to make modifications to general port settings. Using Port Configuration you can customizethe ports using which you can access Sophos-iView device.

Web Admin Settings

HTTP PortProvide the port number to configure HTTP Port for Admin Console access.

Default - 80

HTTPS PortProvide the port number to configure HTTPS Port for Admin Console access.

Default - 443

Syslog portProvide the port number to configure Syslog port using which devices can access the Sophos iView.

Default - 514

| System | 62

Figure 56: Web Admin Settings

Sophos Adaptive Learning

The product sends information periodically to Sophos which is used for the purpose of improving stability andprioritizing feature refinements. It includes configuration and usage information.

Configuration and usage data such as Device information (e.g. model, version), Firmware and License information,Features in use [status, on / off, count] (e.g. schedule reports, custom views, bookmarks), amount of configured items(e.g. count of devices added per device type, count of groups), Product errors, CPU, memory and disk usage (inpercentage), is collected by default.

No user-specific information is collected. The information is transmitted to Sophos over HTTPS.

Figure 57: Sophos Adaptive Learning

Configuration

This section describes how to add network devices to Sophos -iView, configure Sophos -iView for generating reportsfor added devices and customize Sophos -iView as per requirement.

This section covers the following topics:

• Device Group Management: Create and manage groups of devices to generate reports.• Device Management: Add and manage network devices.• Application Categories: Create and update applications, application categories and technologies of classification

in application reports.• Custom View: Create and manage customized view of reports.• Report Notification: Send reports in PDF format to configured Email address.• Bookmark Management: Create and manage report and report group bookmarks.• Data Management: Manage disk and data required to generate reports.• Mail Server: Configure Email server to send report notifications.• Log Integrity: Enable verification of MD5 checksum of Web USage and DHCP related reports.• Port Configuration: Customize access to Sophos-iView Device over HTTP, HTTPS and Syslog ports.• Authentication Server: Configure external authentication servers.• Time & Date: Set date and time, or sync with NTP server.

| System | 63

Device Group Management

Device group is logical grouping of devices available in the product category. It is mainly based on device location,device model or device administrator. For example, Group of all the UTM devices deployed at same geographicallocation to get network visibility of that area. For example, all the devices sending logs of Inventory department of theOrganization can be grouped to generate consolidated report.

Use System > Configuration > Device Group Management page to add and manage device groups in Sophos -iView.

Add/Edit Device Group

1. Go to System > Configuration > Device Group.2. Click Add to create a new Device Group.3. Specify name of device group. Device group name can be any combination of alphanumeric characters and special

characters “_”, “@” and “.”.4. Specify device group description, if required.5. Click drop-down to select the product category.6. Click checkbox against device(s) to be added OR click Select All to add all devices.7. Click Save to add devices in the device group.

Figure 58: Device Group

Devices

Sophos -iView provides consolidated reports for multiple devices. It helps the Admin to view consolidated reportsand dashboards for devices at one shot. This section describes how to add and configure devices that communicatewith Sophos -iView.

Use System > Configuration > Devices page to add and configure devices to communicate with Sophos -iView. Usethis page to:

• Add/Update Device• Activate/De-activate Device

Add/Update Device

There are two ways to add device to the Sophos -iView:

• Device-Auto Discovery• Manual Device Addition

Device Auto-Discovery

Sophos-iView uses UDP protocol to discover the network device automatically. In order to send logs to Sophos-iView, network device has to configure Sophos-iView as a Syslog server. On successful login, Super Admin is

| System | 64

prompted with a pop-up "New Device Found" if a new device is discovered; else the Main Dashboard is displayed.This prompt will be displayed every time Super Admin logs in, until an action is taken on the newly discovereddevice.

Super Admin can:

1. ignore this prompt by clicking Cancel.2. accept and activate the device by providing Device Name and Device Type. Sophos-iView will accept the logs

only after device is activated.3. accept and keep device in deactivated state. Sophos-iView will not accept the logs if device is in inactive state.

Figure 59: Add Device Pop-up

Manual Device Addition

1. Go to System > Configuration > Devices and click Add.2. Specify device ID and device name. Device ID and device name can be any combination of alphanumeric

characters and special characters “_”, “@” and “.”.3. Specify IP address of the device.4. Select device type from the drop down.5. Specify device description, if required.6. Select status of the device from drop down, default status of a device is ‘Inactive’. To receive logs from the device

one needs to activate the device in Sophos-iView.

| System | 65

Figure 60: Add Device

Activate/Deactivate Device

Activate Device

1. Go to System > Configuration > Device and click Active/Inactive against device name.2. You can also activate or deactivate the device by clicking on the required device for updating.

Custom ViewCustom view of reports allows grouping of the most pertinent reports that requires the special attention for managingthe device. Reports from different report groups can also be grouped in a single view. In a view, maximum 8 reportscan be grouped.

Custom view provides a single page view of all the grouped reports.

Use Settings > Configuration > Custom View to create and manage custom views.

Custom View NameName of custom view.

Custom View DescriptionDescription of the view.

Add ButtonClick to add a new custom view.

Delete ButtonClick to delete a custom view.

Use this page to:

• Add Custom View• Edit Custom View• Delete Custom View

Add Custom View

Create a new Custom View.

Note: Added Custom Views will be displayed under Custom Views sub-menu of navigation pane.

| System | 66

1. Go to Settings > Configuration > Custom View.2. Click Add to create a new Custom View3. Specify Custom View Name. Custom view name can be any combination of alphanumeric characters and special

characters “_”, “@” and “.”.4. Specify description of the Custom View, if required.5. Expand report group and select the reports to be added in custom view. Maximum 8 reports can be added per

custom view.6. Click Save to add selected reports in the Custom View.

| System | 67

Figure 61: Custom View

Report SchedulingiView can send various reports to specified Email Addresses as per the configured frequency.

| System | 68

Use the Settings > Configuration > Report Scheduling page to create and manage report notifications.

Add ButtonClick to add a new report notification.

Update ReportClick existing notification to update it.

Delete ButtonClick to delete a report notification.

NameName of the report notification.

Report Group/BookmarkCategory of reports.

Device NameName of Device(s) whose reports are included in report notification.

Email FrequencyReport notification frequency- daily or weekly.

To Email AddressEmail ID of recipient(s).

Last Sent TimeLast time when the report notification was sent.

Add Report Schedule

Create a new Report Notification for one or more reports, security assessment reports or ConnectWise reports.

1. Go to Settings > Configuration > Report Schedule.2. Click Add to create a new report notification.3. Select reports to be sent.

• Report Notification:

Specify report notification name. Name can be any combination of alphanumeric characters and specialcharacters “_”, “@” and “.”.

Specify description of the report notification, if required.

Specify Email address of the recipient in ‘To Email Address’ field. Use comma, with no space in between, tospecify multiple Email IDs.

Select Category.

Select notification type. Possible types of reports are Report Group and Bookmark.

Select sorting criteria from the Sorting Criteria field. Possible options are Hits and Bytes.

Select report category from the Report Group or Bookmark drop down list. Reports from selected categorywill be sent to the recipients.

Select the Devices whose reports are to be included in the notification. Select devices from the AvailableDevices list. They appear in the Selected Devices list.

Set Email frequency and time. Reports can be mailed daily or weekly. For daily notification select time of theday to send the report. For weekly notification, select day of the week and time of the day to send the report.

| System | 69

Figure 62: Report Schedule4. Click Save to save changes.

Bookmark ManagementBookmark management allows the user to create bookmark of any report at any level of report drill-down. It providesadministrator with great level of network visibility based on any criterion.

For example, the administrator can monitor web usage of a particular user by creating bookmark of user based webusage report.

Every bookmark should be a part of a defined bookmark group; if the bookmark group is not created then bookmarkswill be members of Default group.

Every bookmark can be sent to specified Email Address(s) in the form of report notification. Use Settings >Configuration > Bookmark Management to create bookmark groups.Bookmark Groups

Name of the bookmark group.Add Bookmark Group Button

Click to add a new bookmark group.

| System | 70

Delete IconClick to delete a bookmark group.

Use this page to:

• Add Bookmark Group• Delete Bookmark Group

Add Bookmark Group

Create a new Bookmark Group.

1. Go to Settings > Configuration > Bookmark Management.2. Click Add Bookmark Group to create a new Bookmark Group.3. Specify Bookmark Group Name, name can be any combination of alphanumeric characters and special characters

“_”, “@” and “.”.4. Click Save to add the bookmark group. The newly created bookmark group is displayed under Bookmarks.

Note:

• Created bookmark groups will be displayed under Bookmarks Sub menu of navigation pane.• Created bookmark group will also be displayed under Bookmark Group drop down of Add Bookmark

option.

Figure 63: Bookmark Group

Data ManagementThis section describes how to configure Log Retention Period.

Retention of data and log archives use enormous amount of disk space. To control and optimize the disk space usage,configure the data retention period of detailed and summarized table. Depending on the compliance requirement,configure the log retention period.

Use Settings > Configuration > Data Management to configure retention period of various data tables. You canconfigure retention period for various log types.

Note: Based on configured retention period, log data will be deleted on day-by-day basis.

Log Retention Report Period

Log Retention

Displays type of logs to be retained.

Report Period

Displays retention period for summary reports.

| System | 71

Figure 64: Log Retention

Archive RetentionDisplays archive logs.

Report PeriodDisplays retention period for archive logs.

Figure 65: Archive Retention

| System | 72

Export Customization

Select Enable against ‘Export to Excel Parameters Customization’ to enable selection of reports and number ofrecords per report while exporting reports in MS-Excel format.

Figure 66: Export Customization

Apply Button

Click to apply changes. Changes in the retention period will be applied at 12:00 O’ clock in the night.

Mail ServerSystem > Configuration > Mail Server

Device allows configuration of Email notifications for certain system-generated events and report notifications (asspecified by administrator).

Configure a Mail Server IP Address, Port, and Email Address for the device to send and receive alert Emails. Beloware the screen elements with their description:

Mail Server SettingsMail Server IP - Port

Specify the Mail Server IP Address and Port number.

Default - 25

Display NameName to be displayed in notification.

From Email Address

Specify the Email Address from which the notification is to be mailed.

To Email Address

Specify the Email Address to which the notification is to be mailed.

SMTP Authentication

Enable to authenticate user before sending an Email.

Specify user credentials.

Username

Specify the User Name, which uniquely identifies user and will be used for login.

Password

Specify the password.

Send Test Mail

Click Send Test Mail button to send out a test Email to configured Email addresses.

Note: Mail Server configuration changes automatically when changed from the Network ConfigurationWizard and vice versa.

| System | 73

Figure 67: Mail Server

Log Integrity

To achieve compliance requirement of some geographical region, iView provides MD5 sum for DHCP and WebUsage log files. It ensures integrity of log data, which means the log files are intact and log data is not manipulated.

1. Go to System > Configuration > Log Integrity to configure MD5 checksum generation.2. Enable MD5 Checksum module for DHCP and/or Web Usage.3. Click Save to save changes.

Figure 68: Log Integrity

Authentication Server

Sophos -iView supports user authentication against:

• an LDAP server• a RADIUS Server• an internal database defined in Appliance

User authentication can be performed using local user database, RADIUS, LDAP or any combination of these.

Local Authentication

Sophos-iView provides a local database for storing user information. You can configure Sophos -iView to use thislocal database to authenticate users and control their access to the network. Choose local database authentication overLDAP or RADIUS when the number of users accessing the network is relatively small. Registering dozens of users

| System | 74

takes time, although once the entries are in place they are not difficult to maintain. For networks with larger numbersof users, user authentication using LDAP or RADIUS servers can be more efficient.

Combination of external and local authentication is useful in large networks where it is required to provide guest useraccounts for temporary access while a different authentication mechanism like RADIUS for VPN and SSL VPN usersprovides better security as password is not exchanged over the wire.

External Authentication

External Authentication Servers can be integrated with the Sophos -iView for providing secure access to the users ofthose servers.

To manage external authentication servers, go to System > Configuration > Authentication Server.

Add Authentication Server

Server Type: Select the service with which you want to use your network.

Available Options:

• LDAP Server• RADIUS Server

Add/Edit LDAP Server

When Sophos-iView is installed in Windows environment with LDAP server, it is not necessary to create users againin it. Sophos-iView provides a facility to automatically create user(s) on first logon. Whenever the existing user(s)in LDAP logs on for the first time after configuration, user is automatically created in the appliance and is assignedto the default group. This reduces Administrator’s burden of creating the same users in Sophos-iView. User has tobe authenticated by Sophos-iView before granting access the Internet. Sophos-iView sends the user authenticationrequest to LDAP and LDAP server authenticates user as per supplied tokens. User can log on using their Windowsauthentication tokens.

1. Select LDAP Server. If user is required to authenticate using an LDAP server, appliance needs to communicatewith LDAP server for authentication.

2. Specify name to identify the server.3. Specify LDAP Server IP address.4. Specify Port number through which Server communicates. Default port is 389.5. Select LDAP version. For example, 26. Specify the base distinguished name (Base DN) of the directory service, indicating the starting point for searching

user in the directory service. If you are not aware about Base DN, click Get Base DN to retrieve base DN. Thetop level of the LDAP directory tree is the base, referred to as the "Base DN". A base DN usually takes one ofthe three forms: Organization name, Company’s Internet Domain name or DNS domain name. For exampledc=google, dc=com.

7. Specify Administrator Username for the user with Administrative privileges for LDAP server8. Specify Password for the user with Administrative privileges for LDAP server.9. Set authentication attribute. It is the attribute used to perform user search. By default, LDAP uses uid attribute to

identify user entries. If you want to use a different attribute (such as given name), specify the attribute name in thisfield.

10. Click Test Connection button to check the connectivity between LDAP and the appliance.

| System | 75

Figure 69: LDAP

Add/Edit RADIUS Server

RADIUS stands for Remote Authentication Dial In User Service and is a protocol for allowing network devices toauthenticate users against a central database. In addition to user information, RADIUS can store technical informationused by network devices such as protocols supported, IP addresses, telephone numbers, routing information, and soon. Together this information constitutes a user profile that is stored in a file or database on the RADIUS server.

RADIUS servers provide authentication, authorization, and accounting functions but appliance uses only theauthentication function of the RADIUS server.

Before you can use RADIUS authentication, you must have a functioning RADIUS server on the network.

1. Select RADIUS Server. If user is required to authenticate using a RADIUS server, appliance needs tocommunicate with RADIUS server for authentication.

2. Name to identify the RADIUS Server.3. Specify RADIUS Server IP address.4. Specify Port number through which Server communicates. Default port – 1812.5. Specify share secret, which is to be used to encrypt information passed to the appliance6. Click Test Connection button to check the connectivity between RADIUS and the appliance.

| System | 76

Figure 70: RADIUS

Time & Date

Sophos-iView current date and time can be set according to the device’s internal clock or synchronized with an NTPserver. Device clock can be tuned to show the right time using global Time servers so that logs show the precise timeand device internal activities can also happen at a precise time.

Below are the screen elements and their description for setting the Time and Date for the Device:Current Time

Displays the current system time.Time Zone

Select time zone according to the geographical region in which the device is deployed.Set Date & Time

Select to configure the date and time for device’s clock.Date

Specify the date by clicking calendar .Time

Specify the time in HH:MM:SS format.Use pre-defined NTP Server

Select to use the pre-defined NTP servers – asia.pool.ntp.org & in.pool.ntp.org.

NTP stands for Network Time Protocol, and it is an Internet standard protocol used to synchronize the clocks ofdevice to some time reference.

Use Custom NTP ServerSpecify the NTP server IPv4 Address or IPv6 Address or domain name to synchronize time with it. If customNTP server is defined, time is synchronized with custom server and not with pre-defined servers.

Devices use NTP Version 3 (RFC 1305). One can configure up to 10 NTP servers. At the time ofsynchronization, it queries each configured NTP server sequentially. When the query to the first server isnot successful, device queries second server and so on until it gets a valid reply from one of the NTP serversconfigured.

Sync StatusClick Sync Now to synchronize device clock with the NTP Server.

| System | 77

Figure 71: Time and Date

Maintenance

Maintenance facilitates handling firmware versions, licensing services and Backup & Restore. You can perform thefollowing functions from this tab:

• Backup & Restore: Backup and Restore System data.• Firmware: Allows you to upload/view firmware versions downloaded.• Licensing: View status of module licenses and synchronize/renew module licenses.

Backup Restore

Backup is the essential part of data protection. Backups are necessary in order to recover data from the loss due todisk failure, accidental deletion or file corruption. There are many ways of taking backup and just as many types ofmedia to use as well.

| System | 78

The Backup and Restore menu enables you to back up and restore the iView Appliance. It is a good idea to backupthe configuration on a regular basis to ensure that, should the system fail, you can quickly get the system back toits original state with minimal effect to the network. It is a good idea to back up the configuration after making anychanges to the configuration of the iView Appliance.

Once the backup is taken, you need to upload the file for restoring the backup. Restoring data older than the currentdata will lead to the loss of current data.

Backup

To take the backup manually, go to System > Maintenance > Backup/Restore and click Backup Now.

Figure 72: Backup

Restore

To restore any backup onto the iView Appliance, select the backup file by clicking Browse.. and then click Uploadand Restore.

Figure 73: Restore

Backup Schedule

Backup FrequencySelect frequency in which Appliance backup is taken. In general, it is best to schedule backup on regular basis.Depending on how much information you add or change will help you determine the schedule.

Available Options:

Never – Select this option if you do not want to take backup. Daily – Configure time at which the backup shouldbe taken. Weekly – Configure day and time at which the backup should be taken.Monthly – Configure day andtime at which the backup should be taken.

Backup ModeSelect how and to whom backup files should be sent.

Available Options:

FTP – If backup is to be stored on FTP server, configure FTP server IP address, username and password to beused.Mail – If back up is to be mailed, configure email id on which backup is to be mailed.

| System | 79

Figure 74: Backup Schedule

Manage Backup

This section displays the list of last five backups along with the time and size of the backup. It also provides an optionto download the backup and restore it.

Figure 75: Manage Backup

Firmware

Firmware

Firmware page displays the list of available firmware versions downloaded. Maximum two firmware versions areavailable simultaneously and one of the two firmware versions is active.

Upload firmware - Administrator can upload a new firmware. Click to specify the location of the firmwareimage or browse to locate the file. You can simply upload the image or upload and boot from the image. Theuploaded firmware can only be active after the next reboot.

In case of Upload & Boot, firmware image is uploaded and upgraded to the new version, closes all sessions, restarts,and displays the login page. This process may take few minutes since the entire configuration is also migrated in thisprocess.

Boot from firmware - Option to boot from the downloaded image and activate the respective firmware.

Boot with factory default configuration - Device is rebooted and loads default configuration.

Note: Entire configuration will be lost if this option is selected.

Active - Active icon against a firmware suggests that the device is using that firmware.

| System | 80

Figure 76: Firmware

Available Latest Firmware

Check For New FirmwareDisplays if any new firmware is available.

Firmware VersionList of available firmware versions that can be downloaded.

TypeDifferent types of firmware.Available Options:BetaGA

ActionsDownload Button to download the firmware. Once the firmware is downloaded, click the Install button to installthe firmware.

Figure 77: Available Firmware

Over-the-Air HotfixAllow over-the-air Hot-fixes

Hot-fixes are applied automatically if available. Disable if you do not want to apply hot-fix.

Default - Enable

Figure 78: Over-the-Air Hotfix

Licensing

Sophos iView licenses are available in multiple tiers based on storage requirements and support terms offering greatvalue for any size organization.

A limited capacity (100GB) version is available at no charge for evaluation, or for small customers who don’t needto store data for extended periods. Paid licenses are available for 500 GB, 1TB, 4 TB, 8TB, and unlimited storagerequirements. The licenses and the recommended configurations are given below.

| System | 81

After Device Registration and License Activation, the Storage Subscriptions in iView are perpetual while the SupportSubscriptions need to be renewed periodically.

Sophos iViewLicenses

Storage limit RecommendedCPU**

RecommendedMemory(vRAM)

NetworkInterfacesupport(Minimum /Maximum)

Approximateevent capacity

iView Light* 100 GB Dual core 4 GB 1 / 4 Short-termevaluation only

iView 500 GB 500 GB Dual core 4 GB 1 / 4 Up to 300 eventsper second

iView 1 TB 1 TB Dual core 4 GB 1 / 4 Up to 300 eventsper second

iView 4 TB 4 TB Quad core 4 GB 1 / 4 Up to 600 eventsper second

iView 8 TB 8 TB Quad core 4 GB 1 / 4 Up to 600 eventsper second

iView Unlimited Unlimited

(16 TBrecommended)

Quad core# 8 GB 1 / 4 Up to 2000events per second

Event capacity varies with CPU family and hardware specs

* Free for evaluation purpose

** CPU frequency 2.7 GHz or equivalent

# CPU frequency 3.1 GHz or equivalent

Lower Threshold

The Lower Threshold monitors the storage utilization of iView as a percentage of the Licensed Capacity or DiskCapacity (whichever is lower). iView sends alerts if the utilization exceeds the specified threshold.

To set the Lower Threshold, specify the percentage and click Apply.

The meter displays the Disk Capacity, License Capacity and the percentage of storage utilized.

Figure 79: Lower Threshold

Device Registration DetailsModel

Displays License Information and Serial Number of Device.

VersionFirmware version.

| System | 82

Licensed Storage CapacityStorage capacity of the iView device based on purchased License.

Company Name

Name of the company under which the device is registered.

Contact Person

Name of the contact person in the company.

Registered Email Address

Email address used for device registration.

Figure 80: Registration Details

Subscription DetailsModule

Information of Storage or Support Subscription.

Status

Indicates the status of the module.

A module can have the following status:

• Active - Module is subscribed.• Inactive - Module is not subscribed.• Expired - Subscription expired.

Expiration Date

Module subscription expiry date.

Figure 81: Subscription Details

| System | 83

Manage Subscription

Modules can be subscribed directly from your device or from your MySophos Account. Once you subscribe, youneed to synchronize licenses with your MySophos account.

Click Synchronize to synchronize licenses with your account.

Click Activate to activate your purchased subscriptions.

Figure 82: Manage Subscription

Live Logs

Once the device is added, Administrator can verify whether the device is sending the logs or not through Live Logs.With the real-time logs, Administrator can view the most recent log received from the selected device without loadingthe archive log file.

1. Go to System > Live Logs.2. Select network device from the device drop down given at top left.3. Set Refresh Time to refresh logs automatically.4. Select number of records to be displayed.5. Click Go to view real time logs for selected device.6. Click Start Update to start log view.7. Click Stop Update to stop log views.8. Click Refresh to refresh logs manually.

Note:

• Real time logs can be viewed for a single device only.• Log view is refreshed automatically as per the configured refresh time. If you wish to refresh the log

view in between, use refresh button.

| System | 84

Figure 83: Live Logs

Audit Logs

Audit logs are required to ensure accountability, security and problem detection of a system.

Use System > Audit Logs page to view audit logs for Sophos-iView.

Screen Components

Event Time: Event time represents time of the event.

Category: Sophos -iView shows audit logs for following categories with corresponding events and messages:

Category Event Logs for Message

Mail SMTP server configuration update SMTP server IP: Port <IP address>:<Port>has been setSMTP server IP: Port <IPaddress>:<Port> with username <username>has been set SMTP server IP: Port <IPaddress>:<Port> setting failedSMTP serverIP: Port <IP address>:<Port> with username<username> setting failed

| System | 85

Add Report Notification Report notification < report notificationname> added successfully

Update Report Notification Report notification < report notificationname> updated successfully

Delete Report Notification Report notification < report notificationname> deleted successfully

Sent report notification Mail with subject <subject> sent to<recipient’s email ID>Mail sendingfailed :<error message>

User Login User <username> login successfulUser<username> login failedNot authenticateddue to database connection error

User Log out User log out successful

Add User User <username> added successfullyAddfailed due to duplicate user name

Update User User <username> updated successfullyUser<username>update failed

User

Delete User User <username> deleted successfullyUser<username> delete failed

Add Device <device status> device <device name> isadded

Update Device Device < device name> is updatedDevicestatus for < comma separated device name>updated

Delete Device Device < comma separated device name>are deletedDevice < comma separated devicename> are not deleted

Add Device Group Device group <device group name> isaddedDevice group <device group name>add failed due to duplicate device groupname

Update Device Group Device group <device group name> isupdated

Device

Delete Device Group Device group <device group name> isdeleted

Views Unauthorized access to web pages Unknown user has tried to accessunauthorized page name <page name>Userhas tried to access unauthorized page name<<page name>>

Archived Logs Archived (cold) log file will be deleted tilldate(dd-mm-yyyy) <<configured removaldate>>Archived Log configuration updatedto <<archived limit>> days

Data

Detail Table Detail Table configuration updated to<<detail table limit >> days

| System | 86

Summary Table Summary Table configuration updated to<<summary table limit>> days

Add Custom View Custom view < custom view name> addedsuccessfullyCustom view < custom viewname> addition failed

Update Custom View Custom view < custom view name> updatedsuccessfullyCustom view < custom viewname> update failed

Report

Delete Custom View Custom view < custom view name>deleted successfullyCustom view < customview name> deletion failed due to <errormessage><number of custom view> customview(s) deleted successfully

Severity: Following are predefined severity levels in Sophos-iView:

• Emergency: System is not usable.• Alert: Action must be taken immediately.• Critical: Critical condition.• Error: Error condition.• Warning: Warning condition.• Notice: Normal but significant condition.• Info: Informational.• Debug: Debug-level messages.

Message: Message is one line description of event.

Username: Username of the user associated with the event.

IP Address: IP address of the user.

Diagnostics

Using Diagnostics, one can view the statistics to diagnose the connectivity problem, network problem and testnetwork communication. It assists in troubleshooting issues such as hangs, packet loss, connectivity, discrepancies inthe network.

• Ping• Traceroute• Name Lookup• Route Lookup• Consolidated Troubleshooting Report

Ping

Ping is the most common network administration utility used to test the reachability of a host on an Internet Protocol(IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer.

Ping sends ICMP echo request/replies to test connectivity to other hosts. Use standard ICMP ping to confirm that theserver is responding. Ping confirms that the server can respond to an ICMP ping request.

Use Ping diagnostically to:

• Ensure that a host computer you are trying to reach is actually operating or address is reachable or not• Check how long it takes to get a response

| System | 87

• Get the IP Address from the domain name• Check for the packet loss

The parameters used and their descriptions are:

IP Address/Host Name

Specify the IP Address (IPv4/IPv6) or fully qualified domain name to be pinged.

It determines network connection between device and host on the network. The output shows if the response wasreceived, packets transmitted and received, packet loss if any and the round-trip time. If a host is not responding,ping displays 100% packet loss.

IP Family

Select the type of IP Family from the options available:

Available Options

IPv4 IPv6Interface

Select the Interface through which the ICMP echo requests are to be sent.

Size

Specify the Ping packet size, in bytes.

Default - 32 bytes

Size Range – 1 to 65507

Figure 84: Ping

Traceroute

Traceroute is a useful tool to determine if a packet or communications stream is being stopped at the device, or islost on the Internet by tracing the path taken by a packet from the source system to the destination system, over theInternet.

Use Traceroute to:

• find any discrepancies in the network or the ISP network within milliseconds.• trace the path taken by a packet from the source system to the destination system, over the Internet.

The parameters used and their descriptions are:IP Address/Host Name

Specify the IP Address (IPv4/IPv6) or fully qualified domain name.

| System | 88

It determines network connection between device and host on the network. The output shows all the routersthrough which data packets pass on way to the destination system from the source system, maximum hops andTotal time taken by the packet to return measured in milliseconds.

IP Family

Select the type of IP Family from the options available:

Available Options

IPv4 IPv6Interface

Select the Interface through which the requests are to be sent.

Figure 85: Traceroute

Name Lookup

Name Lookup is used to query the Domain Name Service for information about domain names and IP Addresses. Itsends a domain name query packet to a configured domain name system (DNS) server. If a domain name is entered,one gets back an IP Address to which it corresponds, and if an IP Address is entered, then one gets back the domainname to which it corresponds. In other words, it reaches out over the Internet to do a DNS lookup from an authorizedname server, and displays the information in the user understandable format. Also one can view all the available DNSServers configured in device by selecting option Lookup using all Configured Servers from DNS Server IP drop-down list. Selecting this option will also provide information about the time taken by each DNS sever to resolve thequery. Based on the least time, one can prioritize the DNS server.

The parameters used and their descriptions are:IP Address/Host Name

IP Address (IPv4/IPv6) or fully qualified domain name that needs to be resolved.DNS Server IP

Select the DNS server to which the query is to be sent.

Figure 86: Name Lookup

| System | 89

Route Lookup

If you have routable networks and wish to search through which Interface, the device routes the traffic then lookupthe route for the IP Address (IPv4/IPv6).

Figure 87: Route Lookup

Archives

Sophos -iView provides historical archived logs to provide historical view of network activities:

• Archived Files• Searchable Archived Files• Backup Management

Archived Files

Use System > Archives > Archive Files page to view archived log files generated by Sophos -iView.

Archive logs are collection of historical records, which are the initial line of forensic investigation. Sophos -iViewretains archive log data for the configured period. Data Retention period can be configured from the System >Configuration > Data Management page. For further details refer to Data Management section.

Searchable Archived Files

This page allows you to load, index, unload and search archive logs for forensic investigation and compliancepurpose.

Use System > Archives > Archive Search page to perform search in log files generated by Sophos -iView.

Load Archive Files

1. Select one or multiple network devices from the device drop down given at top left.2. Select date range from the given calendar.3. Click OK to save the selection.4. Click Load to upload the archive file for the selected date in Sophos -iView database. This process may take some

time depending on the size of data.

Note: The check box will be disabled once the file is uploaded to the Sophos-iView database.

Unload Archive Files

Click Unload to unload all the loaded files.

Note:

• Unload operation will unload all the loaded files. User will not have option to unload individual file.• Please note that unloading file does not delete the data from the Sophos-iView.

| System | 90

Archive Backup

iView allows the Administrator to take backup of historical archived logs to improve usage of available storagespace. The Administrator can download and restore the backup files as and when required. Use System > Archives >Archive Backup to:

• Backup Archive Files• Download Backup Files• Restore Backup Files

Backup Archive Files

1. Select one or multiple network devices from the device drop down given at top left.2. Select date range from the given calendar.3. Click OK to save the selection.4. Click Go to view archived files for selected date.5. Select the Backup Frequency, either Never or Daily, to schedule automatic backup. If DailyProvide details of

FTP server.6. Select check box against file(s) and click Backup Now to take backup of the files in iView machine.7. Select Full Day Backup checkbox and click Backup Now to take full day back up at once.

Note:

• Super Admin or Admin privilege required to take backup of archived file.• Unloading of the archived file is required to take backup.• If the archived file is partially loaded, then backup of only unloaded data will be taken.• Once the backup file is created, Administrator can download the backup file on any machine including

Cyberoam-iView machine itself.

Download Backup Files

1. Click Download Backup Files.2. Click Download against the filename. The file will be downloaded on local machine from where iView Admin

Console is accessed.

Note:

• Super Admin or Admin privilege required to download backup of archive file.• To help identity the backup of each device, Backup file is named as <Device ID_

YYYYMMDDStartHourEndHour> Where:

• Device ID - As configured in Cyberoam-iView• YYYYMMDD - Date as displayed on Archive Files page under Date column• Start Hour End Hour – Time as displayed on Archive Files page under File Details column

Restore Backup Files

1. Browse file to be restored. Click Add to restore multiple files.2. Click Restore.

Note: Super Admin or Admin privilege required to restore backup files.

| System | 91

Figure 88: Archive Backup

sophos iview administrator guide v02

Documents