Long Running Connections
Long running connections do not show in the logs.
How are we supposed to look for hidden long term data exfiltration etc. with the inability to see continuing connection info in the logs.
Example: WG Cloud based APs (example: AP330) have very long term connections to accesspoint.iot.usa.cloud.watchguard.com, yet other than logs shortly after a reboot, there are no log entries for this traffic minutes, hours or days later.
The only way that I have been able to see that this traffic exists is from a packet capture on the firewall and on a 1 line entry on HostWatch for HTTPS traffic from the AP IP addr.
Since the dest IP addr is one in the cloud, there is no way to identify the real dest.
DNS packets for the AP only happens shortly after boot-up. Thus there is no further DNS info to indicate that there is outbound data from the AP other than the trivial regular access to google.com/ .
Some exfiltration will not issue DNS queries to even give a clue about the destination.
How should we admins be able to understand that there is this type of traffic exiting our firewalls without some easy ability to see it and to perhaps understand the real destination ???
Comments
Hi Bruce,
I'd suggest using the firewatch tool over hostwatch. Hostwatch will show connection as it sees them, firewatch shows all connections on the firebox from the get-go. Firewatch is available in the WebUI, and in Dimension.
Firebox logs are designed to show new connections, so the logging only showing this is expected.
-James Carson
WatchGuard Customer Support
I don't see anything in FireWatch for my example IP addr - in the Web UI or in WG cloud.
Selecting on Source, the high volume IP addrs prevent seeing anything for a low but continuously uploading IP addr.
And choosing any of the other tabs doesn't show anything either.
I had to change to Duration from Rate - to see what I wanted.
I missed seeing that option earlier...
Duration is not a option in the WG Cloud FireWatch view.
Duration is also not a option in Dimension.
It only exists in the Web UI.
So, when the firewall reboots, internal connection data is lost, thus there is no way to see historical long running connections.
For Dimension, since there is no logging of long running connections, there is no data for Dimension or WG cloud to report on.
Sure would be nice to have a way to see historical long running connections in Dimension.
Perhaps a periodic log message, similar to the VPN stats etc. log message could be generated for long running connections - perhaps ones running for more than 1 hour.
Hi Bruce,
Connections can be searched by time frame in Dimension inside Firewatch, you just need to filter the timeframe you want in the top left corner. Changing the time frame and clicking apply shows the update on your screen as quickly as Dimension can pull that data from the database.
You can search this for the duration your firewall has been logging that data to Dimension. If that data does not exist for that date, it is grayed out.
-James Carson
WatchGuard Customer Support
Take my example - an AP sending info to the cloud.
If the AP has been up for many months, how can one find out that there is a many month long connection running using Dimension, since the logs only show the initial connection for 10-20 minutes?
@Bruce_Briggs Like I previously mentioned, Firewatch in Dimension allows you to specify timeframes, and you can filter beyond that. If you're looking for a connection from a specific AP, filtering down to the AP's IP address(es) and clicking view connections should show all connections that were open at that time, and their disposition.
If you need additional help tracking down a specific connection, I'd suggest opening a support case. One of our support team members can help determine what your connection might be and demonstrate firewatch showing those connections with you.
-James Carson
WatchGuard Customer Support
You are missing my point.
I want to see IF there are any long running connections, and if I find one, I want to know how long it has been running.
There is no way to see that there has been a long running connection in Dimension since the only log messages are at the start of the connection, since Fireware does not provide any continuing logs of a connection after a short period of time.
If I don't know that there is a long running connection, and from/to where, then there is no IP addr on which to search in Dimension.