Long Running Connections
Long running connections do not show in the logs.
How are we supposed to look for hidden long term data exfiltration etc. with the inability to see continuing connection info in the logs.
Example: WG Cloud based APs (example: AP330) have very long term connections to accesspoint.iot.usa.cloud.watchguard.com, yet other than logs shortly after a reboot, there are no log entries for this traffic minutes, hours or days later.
The only way that I have been able to see that this traffic exists is from a packet capture on the firewall and on a 1 line entry on HostWatch for HTTPS traffic from the AP IP addr.
Since the dest IP addr is one in the cloud, there is no way to identify the real dest.
DNS packets for the AP only happens shortly after boot-up. Thus there is no further DNS info to indicate that there is outbound data from the AP other than the trivial regular access to google.com/ .
Some exfiltration will not issue DNS queries to even give a clue about the destination.
How should we admins be able to understand that there is this type of traffic exiting our firewalls without some easy ability to see it and to perhaps understand the real destination ???