TSF – Giải pháp IT toàn diện cho doanh nghiệp SMB | HCM

Homepage
About Us
Solution
Tutorial
Comtact
Youtube
🌐 Language / Ngôn ngữ
  • English
  • Tiếng Việt
    • Contact

    PRTG - How to Monitor Sophos Firewall with PRTG (Step-by-Step Guide)

    Sophos Firewall plays a critical role in protecting enterprise networks.
    Without proper monitoring, firewall issues can go unnoticed until downtime or security incidents occur.
    PRTG Network Monitor provides powerful tools to monitor Sophos Firewall performance and availability.
    In this guide, you will learn how to integrate Sophos Firewall with PRTG step by step.
    The tutorial covers firewall health, interface traffic, and system resource monitoring.
    Real-time alerts help administrators detect problems before users are affected.
    This setup is ideal for system administrators and network engineers.
    Follow this guide to gain full visibility into your Sophos Firewall using PRTG.

    Step 1: Enable SNMP on Sophos


    Administration → SNMP
    • ✅ Enable SNMP
    • Version: SNMP v2c (easiest)
    • Community: e.g., prtg_sophos
    • Allowed hosts: IP PRTG

    o PRTG Server IP
    👉 Save

    (Recommended) Enable Syslog
    System Services → Log Settings → Syslog Server
    • Use when you want:

    o IPS Alert
    o VPN down
    o Attack detection

    Step 2: Add PRTG device

    Step 3: Add sensors

    🟢 GROUP 1 – REQUIRED SENSORS (CORE)


    ✅ Ping v2
    • Check Sophos live/dead
    ________________________________________
    ✅ SNMP CPU Load
    • Monitor firewall CPU
    • Alert when > 80%

    ________________________________________
    ✅ SNMP Memory (Not v2)
    • RAM Usage
    • Very important if IPS/VPN is enabled
    • Warning >85, Error >95
    If you see RAM always around 70–80%:

    • ❌ Don’t worry
    • Sophos has a lot of cache
    • Only address this when:

    o 90% persists
    o VPN/IPS disconnects
    View actual RAM

    PRTG RAM: Available = Free RAM + Reclaimable Cache – Reserved, so it will look less than the actual RAM. Sophos GUI  Set threshold according to system 4G RAM

    Channel Warning Error
    Percent Available Memory < 5% < 2%
    Available Memory < 0.2 GB < 0.1 GB

    ________________________________________
    ✅ SNMP Uptime v2
    • Detects abnormal reboots

    NO need to set threshold for uptime

    ________________________________________
    🟡 GROUP 2 – INTERFACE / BANDWIDTH (HIGHLY RECOMMENDED)


    ✅ SNMP Traffic
    Select:
    • WAN
    • LAN
    • Primary VLAN

     

    Monitor:
    SNMP Traffic – WAN (Port2_ppp)
    Threshold
    Channel Warning Error Duration
    Traffic Total > 80 % BW > 95 % BW 300s
    Traffic In > 80 % BW > 95 % BW 300s
    Traffic Out > 80 % BW > 95 % BW 300s
    Errors in/out > 0 > 10 300s
    📌 100 Mbps WAN example:
    • Warning: 80 Mbps
    • Error: 95 Mbps
    ________________________________________
    SNMP Traffic – LAN (Port1)
    Channel Warning Error Duration
    Traffic Total > 70 % > 90 % 300s
    Errors in/out > 0 > 10 300s
    📌 LAN usually does not need alerts Traffic is too heavy.

    ________________________________________________
    SNMP Traffic – VLAN (Port 1.10)
    Channel Warning Error Duration
    Traffic Total > 50% > 70% 300s
    Errors in/out > 0 > 10 300s
    📌 Guest VLANs are frequently abused → set lower.

    ________________________________________
    🔐 GROUP 3 – VPN & SECURITY (ADVANCED)


    ✅ SNMP Traffic (if detectable)
    • Site-to-Site
    • SSL VPN
    Create SNMP Traffic sensor for:
    • ipsec0 (site-to-site)

    • tun0 (SSL VPN)

    • corresponding VPN interface

    SET THRESHOLD – VPN SSL (tun0)

    🎯 Goal:

    • No notification when no one is connected
    • Notification when the VPN is in use but disconnects

    IMPORTANT NOTE (DO NOT CONFUSE)
    ❗ Traffic = 0 ≠ VPN DOWN
    → may not be used
    👉 If VPN is not used frequently:

    • DO NOT set traffic threshold
    • Only use:

    o Errors
    o Syslog VPN (if available)

    ________________________________________
    ⭐ Sensor Syslog Receiver (Recommended)
    • Receive logs:

    o VPN down
    o IPS blocks
    o Attack detected
    • Set alert keyword:
    o IPSec tunnel down
    o SSL VPN disconnected

    Step 1: add sensors

    🔹 Include Filter (ENTIRE LINE STICKER)
    message[vpn] OR message[SSL] OR message[tunnel] OR message[ipsec]
    🔹 Exclude Filter (ENTIRE LINE STICKER)
    message[heartbeat] OR message[keepalive]
    ⚠ Warning Filter
    message[down] OR message[disconnect]
    ❌ Error Filter
    message[fail] OR message[error] OR message[deleted]

    Step 2: On Sophos add syslog server

    System services => Log setting => Add

    Step 3: Choose the sending logtype

    REQUIRED tick for VPN:
    ☑ SSL VPN tunnel
    ☑ Authentication events
    ☑ System events
    ☑ Admin events
    📌 These are the 4 minimum groups to:
    • Catch VPN up/down
    • Capture user login/logout
    • Capture reboot/service restart
    ________________________________________
    🔥 For more complete settings (optional):
    ☑ Firewall rules
    ☑ IPS (Anomaly + Signatures)

    Step 4: Set alert thresholds

    SENSORS TO AVOID (TO PREVENT LAG)
    ❌ SNMP Disk Free (Sophos doesn’t need it)
    ❌ SNMP Process (very resource-intensive)
    ❌ SNMP Everything Auto-Discovery (lots of junk files)