XG Log Viewer for WAF needs major improvement
We use XG for Web Server protection. The log viewer is really poor and I strongly believe does not provide a reasonable way to see clearly the traffic which is passing and traffic which is failing.
I have raised #839149 in October 18. Despite responding that I need more information, all I get is :
"this behavior is already logged with DEV under ID NC-43502. There are certain messages that will be colored red in the log viewer, typically ones that originate from WAF itself, like a block action by CTF or AV. To see the detailed WAF Logs, u can use the advanced
shell and have a look at /log/reverseproxy.log. Any changes to the coloring in the Logviewer will be decided by Product management. An additional feature request can be logged under ideas.sophos.com."
I do not receive information on progress, status, dates, or anything; nor even specifically 'what' is logged with development
I am unclear whether that means I need to do this or not but regardless, herewith my requirement.
The log viewer appears to show Web Server Protection traffic as 'green' and without any obvious indication of failure, even though
a) it originates from IPs which are not permitted
b) the URL is pointing to folders which are not valid or permitted
Whatever the current logic which leads to the current approach, the following is my opinion: the current methods of displaying the log make it *immensely* awkward to know if WAF publications are being allowed through or not. We have business rules publishing to specified source IPs and WAF publishing selected paths. Surely this is something which should be visible.
The current logs DO NOT (as far as I am able to determine after a lot of working) make it apparent in any way whether traffic which should not be blocked… is being blocked – especially traffic originating from IP addresses which are *not* on the list.
So we see traffic hitting the WAF from unauthorised sources and it looks as though the traffic passes through.
I am not sure exactly how else to phrase my feature request, because it seems more a requirement to fix the product.