The Settings tab allows you to define reporting actions and the time period reporting data will be kept on the system before it is automatically deleted. The following report topics can be set:

  • Advanced Threat Protection: If turned on, find the reporting data under Advanced Protection and Logging & Reporting > Network Protection > Advanced Threat Protection.
  • Application Control: If turned on, find the reporting data under Logging & Reporting > Web Protection > Application Control.
  • Authentication: If turned on, find the reporting data under Management.
  • Email Protection
  • Firewall: If turned on, find the reporting data under Logging & Reporting > Network Protection > Firewall.
  • IPS: If turned on, find the reporting data under Logging & Reporting > Network Protection > IPS.
  • Network Usage
  • Remote Access
  • Web Protection
  • Webserver Protection

Use the checkboxes on the left side to enable or disable reporting for a certain report topic. By default, all report topics are enabled.

Note – Disabling needless reports will lower the base load of your machine and can reduce performance bottlenecks. Try to keep time frames as short as possible since high amounts of stored data result in a higher base load and decreased responsiveness on the dynamical reporting pages.

Use the drop-down lists on the right to determine how long reporting data is kept.

Note – Reducing the time period for reporting data will reduce base load and increase responsiveness in the dynamic reporting pages but not increase space on the reporting database.

The settings on this tab do not affect the log file archives.

Web Protection Reporting Detail Level

In this section you can define the detail level of Web Protection reporting. Note that a higher detail level results in a perceptible increase in memory usage and system load, so unless necessary, it is recommended to keep the detail level low.

The following detail levels are available:

  • Domain only: Reports display the top-level domain and second-level domain of a URL, e.g. Third-level domains will be also displayed if they are enforced, such as
  • Full domain: Reports display the full domains, e.g. or
  • 1 level of URL: Reports display additionally the first (virtual) directory of a URL, e.g.
  • 2 levels of URL: Reports display additionally the first two (virtual) directories of a URL, e.g.
  • 3 levels of URL: Reports display additionally the first three (virtual) directories of a URL, e.g.

Executive Report Settings

In this area you can define respectively the number of executive reports to keep:

  • Daily reports: 60 at maximum
  • Weekly reports: 52 at maximum
  • Monthly reports: 12 at maximum

Click Apply to save your settings.

For more information on the executive report and its options, see Logging & Reporting > Executive Report.

PDF Paper Settings

The default paper format for the PDF executive report is A4. Using the drop-down list you can alternatively select Letter or Legal. Click Apply to save your settings.

Remote Access Accounting

Here you can enable or disable accounting for remote access connections. If enabled, data about remote access connections is stored and displayed on the Logging & Reporting > Remote Access > Session tab in the Down and Up columns. If disabled, accounting is stopped. Note that if enabled, this feature may increase the system load.

CSV Delimiter Settings

Here you can define which delimiter is used when exporting reporting data to CSV format. Please note that with Windows operating systems the delimiter should match the regional settings of your system to make sure that the exported data will be displayed correctly in a spreadsheet program like e.g., Excel.

IPFIX Accounting

By means of IPFIX you can export IPv4 flow data of Sophos UTM on AWS to a provider for e.g. monitoring, reporting, accounting, or billing purposes.

Internet Protocol Flow Information Export (IPFIX) is a message-based protocol for exporting accounting information in a universal way. The accounting information is collected by an exporter and sent to a collector. A typical set of accounting information for an IPv4 flow consists of source address, destination address, source port, destination port, bytes, packets, and network traffic classification data.

If enabled, Sophos UTM on AWS serves as exporter: It exports IPFIX accounting data. The collector generally is located at a provider's site where the accounting data of one or more of your Sophos UTM on AWS units are aggregated and analyzed. During the system setup at your provider, you will be given the hostname and you have to define a unique Observation Domain ID (OID) per exporter, i.e., Sophos UTM on AWS. Enter this data into the corresponding fields.

Data is exported on UDP port 4739. A single network connection uses two IPFIX flows–one for the export direction, one for the reply.

Security Note – Be aware that with IPFIX the accounting data will be transmitted unencrypted. It is therefore recommended to send the data via private network only.

Click Apply to save your settings.

IPFIX Private Enterprise Numbers

The templates used by Sophos UTM on AWS are referencing with Private Enterprise Numbers (PEN) 9789 _Astaro AG and 21373 _netfilter/iptables project_. The following elements are available:

Name ID Type Enterprise Meaning
mark 4 uint32_t Netfilter The Netfilter conntrack mark.
conntrack_id 6 uint32_t Netfilter The Netfilter conntrack ID.
afcProtocol 1 uint16_t Astaro The protocol detected by the Astaro Flow Classifier. This field is always present, even if the classifier is off. If the classifier wasn't able to detect a protocol it reports protocol ID 0, which just means 'unknown'.
afcProtocolName 2 string Astaro The protocol name detected by the Astaro Flow Classifier as a 32 character ASCII string, zero terminated.
flowDirection 4 uint8_7 Astaro The direction of the flow, which is one of In (1), Out (2) or Not In/Out (0). Each flow will be exported two times. One time for each direction.