Dimension: Logging Uploads

Hi.

How effective is WatchGuard / Dimension Server at logging user uploads? This morning, I uploaded almost 1GB of files into SharePoint.

However, within Dimension Executive Dashboard, there is less than 200 MB against my username. Looking within WatchGuard Traffic Monitor, I can see activity within "Allow Out HTTPS", and Logging is enabled within the relevant Proxy Action. I have since enabled "Send a Log Message" within the Proxy Rule (although the documentation states this is not necessary). That doesn't seem to make much difference. Am I missing something here?

Update: Logging is also enabled on the "Outgoing" Packet Filter.

Any guidance would be much appreciated.

Kind Regards, Stephen

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LongwoodEng

    Dimension is pretty accurate, however, there will be differences between the size of the file you uploaded, and the actual transfer size due to how the file gets encoded. Albeit, this will generally be the other way around, and the tracked download will appear larger in logs. (This is most pronounced in SMTP/email, but shows up in all uploads/downloads.)

    In the case of SharePoint, the site is almost certainly using HTTPs. You'll get the most accurate results logging-wise if content inspection is turned on, and set to inspect. If content inspection is off, or if you're using a packet filter, results will often be a bit off as the firewall won't be able to see what is actually in the traffic.

    You'll also want to ensure that bandwidth trackig is on for your external interfaces to help with this by enabling "Send external interface and VPN bandwidth statistics to log file"

    You can do this in your interface of choice here:

    (Include Performance Statistics in Log Messages (WSM))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/perf_stat_logging_enable_disable_wsm.html

    (Configure Logging Settings & Performance Statistics (Web UI))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/logging_settings_configure_web.html

    If you're still seeing a discrepancy, I'd recommend opening a support case so that one of our technicians can take a closer look at the issue and assist.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • RalphRalph WatchGuard Representative

    Hello Stephen,

    Make sure you're running the latest version of Dimension.

    https://watchguardsupport.secure.force.com/software/SoftwareDownloads?current=true&familyId=a2RF00000009On4MAE

    Correct. "Send a Log Message" is not required for accurate Dimension reports. It simply allows you to monitor policy traffic in Traffic Monitor.

  • James,

    Many thanks for the quick response.

    Content Inspection is currently turned on, but set to "Allow".

    I probably need to read up a bit more. When I set it to "Inspect", I get another drop down box inviting me to select another "Proxy Action". I also get a Warning regarding the automated updates of CA Certificates.

    So, I didn't make any changes yet, until I have a bit more idea of what I am actually doing.

    Kind Regards, Stephen

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @LongwoodEng
    Content inspection set to allow still disables it. You'd want to pick whatever proxy action you're using for your current HTTP proxy in that drop down.

    The CA cert update is asking for permission to fetch CA certs so the firewall can validate 3rd party CAs (like GoDaddy, Verisign, Digicert, and a lot of others.)

    You'd also need to make sure that the proxy authority certificate from your firewall is installed on any client devices that traverse that proxy.
    (Import a Certificate on a Client Device)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html

    Enabling content inspection to inspect is a big step, so I'd suggest ensuring that you're on the latest version like Ralph mentioned first, and see if that helps.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • edited August 2019

    As a side note, I highly recommend that you create filters and/or proxies outbound for only the traffic that really is needed, then disable the "Outgoing" Packet Filter. It is a security risk to leave that filter in place.

    Gregg Hill

  • @Greggmh123 Thank you. Duly noted.

  • @Ralph Thank You. I will move from 2.1.1 => 2.1.2.

  • Well, thank you all for the wonderful information. I have updated Fireware and Dimension to the latest versions, and the logging is now correctly picking up my SharePoint uploads.

Sign In to comment.