STAS's Live User not sync to Sophos XG

Hi,

Did you proceed all of those points? 

https://community.sophos.com/kb/en-us/123156

Does the STAS Collector show live user? 

Did you check the XG for the correct configuration? 

This KBA is helpful for the configuration:

https://community.sophos.com/kb/en-us/123020

I just disabled Firewall, all worked now.

Yes, i did checking those link yesterday. Trying to find correct port to allow in firewall.

All my configure's port are default when install STAS, can help me which port need to allow in firewall ?

You disabled which firewall?

Windows Firewall? Then you need to deploy the correct GPO like in the second link. 

This GPO allows WMI Requests from Collector to Client. 

Is Client and DC in the same subnet?

Thank you for Reply,

Yes, client and DC in the same subnet like network diagram.

I disabled DC's (STAS Suite installed) firewall not clients firewall. Do i need to deploy GPO in sencond link ?

Yes you need to deploy this GPO. Otherwise the Collector is not able to check, if the client is still online. 

You can build a windows firewall rule for Port 6060 coming and going to the XG IP on Server. 

Is the Firewall GPO is for Domain Controller's clients right ? IF it is, there is something not right here because, i only disabled firewall on Domain Controller and all work without any problem. Guess im not open correct port on DC's Firewall ?

It is only for the clients.

But you need this GPO for STAS to work correctly at all.

Your issue was, that XG will send a keep alive and information to the collector via port 6060. So you need to open port 6060 on the Collector as well. 

Those are two different stories. 

As you said, i need to open port 6060 on Sophos XG firewall (the collector) ? because i did open ountbound UDP 6060 on DC

Hi,

The first step to perform here is to capture TCPDumps on port 6060 and verify if any packet is communicated from the DC to the XG firewall over this port number. To execute a tcpdump, take SSH to the XG firewall and login as Admin. Execute the following command in Device console,

tcpdump 'port 6060

This will conclude what will be the next step to follow. Most of the steps and information is already shared from ManBearPig in previous responses.

I would also like to suggest you to check #8 in my troubleshooting guide here and verify the suggested time difference.

Hope that helps,

Hi,

The first step to perform here is to capture TCPDumps on port 6060 and verify if any packet is communicated from the DC to the XG firewall over this port number. To execute a tcpdump, take SSH to the XG firewall and login as Admin. Execute the following command in Device console,

tcpdump 'port 6060

This will conclude what will be the next step to follow. Most of the steps and information is already shared from ManBearPig in previous responses.

I would also like to suggest you to check #8 in my troubleshooting guide here and verify the suggested time difference.

Hope that helps,

Thank you guys. I'll try these solution, will post result later.

My Sophos XG and DC have same time.

Just excute tcmpdump 'port 6060'in Device console. Can you guys help me check this result in console ? OMG im so lost now

Hi guys, just fixed the problem.

All is my fault because i Open TCP Port instead UDP port in Firewall... OMG

Thank you guys for helping me.

Best Regards.

Glad to hear, it is working now.

You should think about network segmentation. en.wikipedia.org/.../Network_segmentation