What is the recommended way to log the traffic of guest users?

  • 2
  • Question
  • Updated 3 years ago
  • Answered
An IP firewall rule with logging activated? Or is there another way?
We need to log the traffic (optimally URLs with according guest user name) to meet the security policy.

Thanks!
Photo of Uli Saur

Uli Saur

  • 26 Posts
  • 1 Reply Like

Posted 5 years ago

  • 2
Photo of Tash Hepting

Tash Hepting

  • 55 Posts
  • 29 Reply Likes
Uli,

We don't have standalone URL-level logging in the product, but when running as a branch router HiveOS devices can integrate with cloud-based web security offerings from Websense and Barracuda. I believe these products will be able to generate reports for you of URLs accessed by client (w/ username if authenticated)

Regards,
Tash
Photo of Uli Saur

Uli Saur

  • 26 Posts
  • 1 Reply Like
Tash,

Thank you for the reply.

I did some testing with the mentioned firewall rule with logging enabled and it seems to satisfy the customer's needs.

It would be nice to have some functionality like this because we have some weird laws in Germany when it comes to guest wifi access... ;-)

Regards,
Uli
Photo of Ben

Ben

  • 1 Post
  • 0 Reply Likes
Hi Uli Saur,
Did you had the opportunity to found another way to log the guests activity ?
I'm also in European region, serching for an easy way to log the guest internet activity, without the need of a tierce vendor solution.
Thanks,
(Edited)
Photo of Uli Saur

Uli Saur

  • 26 Posts
  • 1 Reply Like

Hi Ben,

no, I'm sorry, until now, there is no other solution.


Regards,

Uli

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Ben,

These are features that you would not expect to see in a edge, access layer device such as an AP or switch.

Succinctly, you are looking and expecting for this in the wrong place. There are technical reasons why this isn't possible to implement.

There would be significant reliability, resource and performance issues both gathering the data and then getting it out of the APs somewhere.

The out-of-band nature of HiveManager, typically cloud hosted, would also be very ill suited to receiving this amount of raw data if you wanted to see it logged there.

You should therefore instead look to a modern, feature rich firewall, such as those available from Palo Alto to get what you're after.

Regards,

Nick
(Edited)
Photo of Joel Satterley

Joel Satterley

  • 6 Posts
  • 0 Reply Likes
Are there any guidelines for the performance hit of enabling logging on the AP firewall policy? Lets say if it was for a temp period?  Or if only 1-2 lines of the policy had logging enabled?

I'm thinking specifically of AP121's in this scenario...

Thanks,
Photo of intvlan1shut

intvlan1shut

  • 29 Posts
  • 1 Reply Like
just spitballing here...

From a security stand point, it would be nice to have some of this available on the individual APs and have the option to send said info/logs to some device other than the HM. But I also don't want to have to trombone all my traffic (internal or external user or guest) from my APs (from 30+ different geographic locations) to my FWs in the data center. That would defeat one of the major reasons why we went with Aerohive.... "controller-less" wifi.

I cant imagine the hit on the processor/memory on the AP is so bad as to be detrimental to its performance (maybe I'm wrong?) and sending such info across the wire can't be bogging down the wire and if it could, just have a check box for which port you want logging info to go out.

Or if it was such that I could dedicate one AP (with secondary and tertiary APs) in a location to be the "log wrangler" (like setting one to be your local RADIUS server) so all the other APs would send info or logs to it and it would then send that on to either HM or whatever device I tell it to send it to.

And if you were to enable such a feature, please please please please don't require Aerohive switches to make it work :-) I'm at nearly 800 APs across 30+ different locations and we just did a system wide layer 2 refresh (Cisco :-/) so I wouldn't have any luck asking for money for new Aerohive switches....sadly.