Firewall reporting – Report Generator

Report Generator allows you to select a report template, specify filters, generate a report, and save the template with your filter and display settings.

Note Generated reports that you can view in Sophos Central support up to 10,000 records in a report. Scheduled exports support up to 100,000 records in a report.

The report generator tab includes the following areas:

  • Filters
  • Chart
  • Table

Filters

Under Filters, you can select the firewall, report template, and time frame. You can also specify queries.

Under Report templates, you can select one of the following report templates:

  • ATP: Threats coming from specific IP addresses that have been detected by Advanced Threat Protection.
  • Antivirus: Malware or suspicious items that have been blocked.
  • Bandwidth usage: Amount of internet usage of specific applications.
  • Firewall: Numbers of connections between specific IP addresses.
  • IPS: Attempted attacks, including source and destination.
  • Log viewer & search: Log entries that have been generated by the firewall in non-aggregated form.
  • Sandstorm events: Files and emails that contain suspicious attachments that have been sent to Sandstorm.
  • Threat geo activity: Threats from certain countries that have been blocked.
  • Threats & events blocked: All types of threat and event, by source or destination country, that have been blocked.
  • VPN usage: Amount of usage of specific VPN connections.
  • Web usage: Visits to specific websites, including whether connections have been allowed or blocked.

The Log viewer & search report does not include a chart, only a table.

Under Time frame, you can specify the time frame for which information is shown by selecting one of the options. If you select Custom, you can use the date selection boxes to select the dates and times between which information is shown.

Restriction If you don't have a firewall reporting license, you can't specify a time frame that starts more than seven days ago.

Under Query, you can enter values on which to filter the report:

  1. In the text box, select or enter the name of the column on which you want to filter.

    A further text box is shown in which you enter the values you want to filter.

  2. To change the operator used for comparison, click the equals sign next to the column name to show a drop-down list:

    Operator

    Rows shown

    =

    Rows in which the column value matches the value you want to filter

    The value is case-sensitive.

    Examples:

    To show all rows in which the domain matches a specific domain, enter the following:

    DOMAIN = www.bing.com

    To show all rows in which the IP address matches a specific address, enter the following:

    Source IP = 10.8.9.191

    !=

    Rows in which the column value does not match the value you want to filter

    The value is case-sensitive.

    <

    Rows in which the column value is less than the value you want to filter (applies only to numeric values)

    <=

    Rows in which the column value is less than or equal to the value you want to filter (applies only to numeric values)

    >

    Rows in which the column value is greater than the value you want to filter (applies only to numeric values)

    >=

    Rows in which the column value is greater than or equal to the value you want to filter (applies only to numeric values)

    IN

    Rows in which the column value matches any value in a comma-separated list of values you want to filter

    The values are case-sensitive.

    Example:

    To show all rows in which the destination IP address matches any value in a list of IP addresses, enter the following:

    Destination IP IN 13.107.21.200,204.79.197.200

    ~

    Rows in which the column value matches a wildcard expression you want to filter. The wildcard is an asterisk: *

    The expression isn't case-sensitive.

    Examples:

    To show all rows in which the URL contains a specific string, enter the following:

    URL ~ *amazon*

    To show all rows in which the source IP address matches any address in a subnet, enter the following:

    Source IP ~ 13.225.78.*

    !~

    Rows in which the column value does not match a wildcard expression you want to filter. The wildcard is an asterisk: *

    The expression isn't case-sensitive.

  3. Repeat this process if you want to add more filters. A row is only shown if it meets the conditions of all the filters.
  4. To remove a filter, click the delete button next to the filter: Delete button.

Click Generate to show the selected report using the filters that you've specified.

If the time frame that you've selected is longer than 30 days, it may take some time to get the data. If it takes more than a few seconds, you see a message:

  • To continue waiting to see the report, click OK. The report is added to the queue. When it's ready, it's shown on the Report Generator tab automatically.

    If you later decide to stop waiting, you can click Start Another Report. This allows you to view another report while you’re waiting. However, when the first report is ready, you must go to the Queue tab to view it.

  • To stop generating the report, click Cancel.

Click Schedule to set up an export schedule for reports. You can schedule up to 100 reports.

Note You can also generate an export by clicking PDF, CSV, or HTML. You can download your exported reports from Scheduled Exports.
  • Enter a Template Name.
  • Select the Time frame of the data you want to include.
  • Configure Export frequency settings.
  • Select the Export format. You can export the report in the following formats: PDF, CSV or HTML.

    A PDF export has a maximum of fifteen columns.

  • Select the Export notification/delivery method.

    We recommend that you send the link in an email if the report includes personally identifiable information.

    The report is sent to your Sophos Central email address, as specified in Account Details.

    You must enter your Sophos Central sign-in credentials to view reports from a link.

  • You can send the report to other Sophos Central administrators.
  • Click Save.

    You can download your exported reports from Scheduled Exports.

Click Save Template to save the selected report template with any of the filters or display settings that you've applied, including the following:

  • Query filters
  • Chart type
  • Chart axes
  • Table sorting
  • Table columns

This saves you having to make all the selections again. The report template is saved to the Saved Templates tab. The data is not saved with the template, though.

You also can turn export scheduling on and off for this report template.

Chart

In the chart area, you can select one of the following chart types by clicking one of the buttons in the top right of the area:

  • Bar
  • Horizontal bar
  • Pie
  • Line
  • Stack-area

To select which information is shown on each axis:

  1. Click the screwdriver and spanner button in the top right of the area: Screwdriver and spanner button.
  2. In the top box, click the arrow and select which information is shown on the x-axis.
  3. In the next box, click the arrow and select which information is shown on the y-axis.
  4. If a line or stack-area chart is shown, in the bottom box, click the arrow and select which information is shown on the z- axis.

When you select a different chart type, it shows default information on each axis, even if you previously changed it.

If you hover the mouse pointer over the chart, the data values are shown next to the pointer.

Table

In the table area, when the table is first shown, it uses a default set of columns. You can select which columns to show by clicking the column selection button in the top right of the area: Column selection button.

The rows are aggregated to remove duplicate rows. For example, by default the Firewall report table shows the number of hits for a specific rule ID, source IP, destination IP, and country. This is represented by one row:

FIREWALL RULE ID

SOURCE IP

DESTINATION IP

SOURCE COUNTRY

HITS

0

1.1.1.1

255.255.255.255

Australia

3

However, if you add another column in which the data is different in each row, for example, the user, one row is shown for each hit, with each row having the same rule ID, source IP, destination IP, and country:

FIREWALL RULE ID

USER

SOURCE IP

DESTINATION IP

SOURCE COUNTRY

HITS

0

John Smith

1.1.1.1

255.255.255.255

Australia

1

0

Paul Jones

1.1.1.1

255.255.255.255

Australia

1

0

George Harris

1.1.1.1

255.255.255.255

Australia

1

In summary, the more columns that you add, the more granular the information that is shown.

If the date column is shown, duplicate rows are grouped on the date and time as follows:

Time frame

Row grouping

Less than or equal to 1 hour

Rows in which the date and time are the same to the nearest minute

Greater than 1 hour but less than or equal to 48 hours

Rows in which the date and time are the same to the nearest hour

Greater than 48 hours

Rows in which the date and time are the same to the nearest day

Some columns include values that are hyperlinks. If you click one of these, a filter on that value is added to the Query box in the filters area, which you can use to filter the report. For example, in the table above, if you click Australia, a filter is added: Source Country = Australia. You can repeat this for other values to make the filter more specific. For the Threats & events blocked report, such hyperlinks also link to one of the other reports.

For the Log viewer & search report, the buttons in the top right of the area allow you to switch between the tabular view, which shows a limited number of columns, and the raw view, which shows all columns.