Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=DiagnosticsTool

Tools

You can view statistics to diagnose connectivity and network issues and test network communication. You can troubleshoot issues such as packet loss, connectivity, and discrepancies in your network.

Pop-out tools

Log viewer

By default, the log viewer shows the firewall logs. It opens in a new full-screen browser window. See Log viewer.

Policy tester

Use the policy tester before and after you edit a rule or policy to verify the applied action. The policy tester opens in a new browser window. See Policy tester.

Ping

Ping is the most common network administration utility used to test the reachability of a host on an Internet Protocol (IP) network and to measure the round-trip time for messages sent from the originating host to a destination computer.

Ping sends ICMP echo requests to test the connectivity to other hosts. The output shows if the response was received, packets transmitted and received, packet loss, and round-trip time. If a host isn't responding, ping shows 100 percent packet loss.

You can specify the following settings:

Setting Description
IP address or hostname Specify the IP address (IPv4 or IPv6) or fully qualified domain name you want to ping.
IP family Select the IP version (IPv4 or IPv6).
Interface Select the interface through which the ICMP echo requests are to be sent.
Size Specify the ping packet size (in bytes).
Default: 32 bytes
Size range: 1 to 65507

Traceroute

Traceroute traces the path taken by a packet from the source system to the destination system. The output shows all the routers through which data packets pass from the source system to the destination system, maximum hops, and total time taken by the packet to return (measured in milliseconds).

Traceroute tool from WebAdmin

  1. Sign in to the web admin console.
  2. Go to Diagnostics > Tools.

  3. Enter the required details under the Traceroute section. You can specify the following settings:

    Setting Description
    IP address or hostname Specify the IP address (IPv4 or IPv6) or fully qualified domain name.
    IP version Select the IP version (IPv4 or IPv6).
    Interface Select the interface through which you want to send the requests.

  4. Click Traceroute to view route information between the device and specified IP address.

Traceroute tool from CLI

  1. Sign in to the web admin console.
  2. Go to admin > Console and press Enter.
  3. Enter your password.
  4. Select 4. Device Console and press Enter.

  5. Run one of the following commands. See Traceroute.

    • IPv4: traceroute <IPv4 ADDRESS>
    • IPv6: traceroute6 <IPv6 ADDRESS>

Name lookup

You can use name lookup to query the domain name service for information about domain names and IP addresses. It sends a domain name query packet to a configured domain name system (DNS) server. If you enter a domain name, the server returns the IP address associated with that domain name, and if you enter an IP address, the server returns the domain name associated with that IP address.

You can specify the following settings:

Setting Description
IP address or hostname IP address (IPv4 or IPv6) or fully qualified domain name (FQDN) to resolve.
DNS server IP Select the DNS server to send the query to.
Select Lookup using all configured servers to view all the available DNS servers configured in the device. Selecting this option will also provide information about the time taken by each DNS server to resolve the query. Based on the response time of each server, you can prioritize the DNS server.

Route lookup

If you have routable networks and want to search through which interface the device routes the traffic, you can look up the route. To do this, enter the IP address (IPv4 or IPv6).

Consolidated troubleshooting report

To help the support team debug system problems, you can generate a consolidated troubleshooting report (CTR), consisting of the system's current status file and log files. The file contains details, such as a list of all the processes currently running on the system, and resource usage, in encrypted form.

Sophos Firewall generates the file with the name: CTR_<APPKEY>__<MM_DD_YY>_<HH_MM_SS>

  • APPKEY is the device key of the device for which the report is generated.
  • MM_DD_YY is the date (month date year) on which the report is generated.
  • HH_MM_SS is the time (hour minute second) at which the report is generated.

You can turn on debug mode for the subsystems to get their detailed troubleshooting logs.

Affected subsystem Issues related to
Access-Server User authentication.
Bwm Quality of Service (QoS) or bandwidth management.
CSC Web admin console stops responding.
IPSEngine Application filter or intrusion prevention system (IPS).
LoggingDaemon Logging service for event logs and graphs.
MTA Mail transfer agent (MTA).
Msyncd High availability.
POPIMAPDaemon POP, IMAP, and FTP with scanning turned on in the firewall rules.
Pktcapd Packet capture on the web admin console.
SMTPD Anti-spam, antivirus and email communication over SMTP with scanning turned on in firewall rules.
SSLVPN SSL VPN web and application (clientless bookmark), and tunnel access creation.
SSLVPN-RPD Used when SSL VPN tunnel access mode is configured over UDP protocols.
WebProxy Web proxy, for example, inaccessible website despite an Allow All web policy and no malware detection.

You can specify the following CTR settings:

Setting Description
Generate CTR for Turn on the options for which Sophos Firewall generates the CTR.
System snapshot: Generates snapshots to show the issues in the system.
Log files: Generates log files.
Reason Specify the reason for generating CTR.

When you generate a log files CTR, the following complete log files are collected:

  • syslog.log
  • postgres.log
  • reportdb.log
  • applog.log

In addition, the last 1,000 lines of all other log files are collected.

Note

When generating log files, the *.log.0 files aren't collected.

Generate a CTR

You can generate a CTR and send it to the support team to diagnose and troubleshoot an issue.

  1. Turn on debug mode as follows:

    By default, debug mode is turned off for all subsystems. Before generating a log file, turn on debug mode for the subsystem.

    Warning

    The debug file increases in size as long as debug is turned on. To avoid taking up too much disk space, turn debug off once you're done troubleshooting by typing the following command on the CLI:

    system diagnostics subsystems <subsystem name> debug off

    Note

    You don't need to turn on debug mode if you only want to generate a system snapshot.

    1. Sign in to the CLI and enter 4 for Device console.

    2. Run the following command:

      Syntax:

      system diagnostics subsystems <subsystem> debug on

      Example:

      system diagnostics subsystems WebProxy debug on

      Note

      For CSC, run the following command:

      system diagnostics subsystems CSC debug

  2. (Optional) Purge logs.

    If you don't need historical logs for analyzing the issue, we recommend that you purge them. See Manual purge.

    Run the following command:

    Syntax:

    system diagnostics subsystems <subsystem> purge-log

    Example:

    system diagnostics subsystems WebProxy purge-log

  3. (Optional) Set CTR log lines.

    You can specify the number of lines to include in the CTR from 250-10000. The default is 1000. See Diagnostics.

    Run the following command:

    Syntax:

    system diagnostics ctr-log-lines <value>

    Example:

    system diagnostics ctr-log-lines 1000

    Note

    CTR-log-lines only affects the number of lines included in the CTR.

  4. Reproduce the issue that you want to report.

  5. Sign in to the web admin console.
  6. Go to Diagnostics > Tools.
  7. Under Consolidated troubleshooting report, select System snapshot and Log files.
  8. Enter the reason for generating the CTR.
  9. Click Generate.
  10. Click Download.

  11. Turn off debug mode as follows:

    1. Sign in to the CLI and enter 4 for Device console.

    2. Run the following command:

      Syntax:

      system diagnostics subsystems <subsystem> debug off

      Example:

      system diagnostics subsystems WebProxy debug off

      Note

      For CSC, run the following command:

      system diagnostics subsystems CSC debug

  12. Send the CTR to the support team via email or FTP for analysis. See Connect to Sophos FTP server using an FTP client.

More resources