Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 5114 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG, Sophos Endpoint Cache

Gerhard Hannemann1

Hi

First Questions!

I am running a Sophos XG setup and Sophos Central.  I need to get endpoint updates via the XG.  There seems to a little documentation how this is done, (possibly did not look hard enough), nor does there seem to be much feed back from either system.  

What I have done so far:

  • Sophos XG, Under Web -> Advanced -> Always cache Sophos Endpoint updates.
  • Sophos XG, Synchronized Security -> Enable Synchronized Application Control (Possibly not needed)
  • Sophos XG, Synchronized Security -> Enable Security Heartbeat (Possibly not needed)
  • Sophos Central, Global Settings -> Proxy Settings.  Added the proxy host and port, but no credentials

I am not sure if this what I need to do, or if there is anything else that needs to be done.

At the moment I am only testing.  Eventually user machines will connect to the proxy using authentication (MS AD),  

I have no idea how I can verify that this works.

 

Kind Regards

Gerhard



This thread was automatically locked due to age.
Parents
  • 0

    Hi Gerhard

    As you assumed, synchronized Security is not mandatory for get this work. What you need, is a (maybe empty) Webfilter-Firewall-Rule for your Traffic from Sophos Endpoint Clients to WAN. Scan HTTP should be configured on this Rule as well. This ensures that the Cache Sophos XG Proxy starts feeling responsible for that traffic, and it should also start caching.

  • 0 in reply to HuberChristian

    Hi

    Thanks for you reply.

    Yes I  all the web filtering set have that all set.

    I am looking for ways to verify that the cache is being used.  Also not sure if the initial installation files are cached as well.

     

    Regards

    Gerhard

  • 0 in reply to Gerhard Hannemann1

    The purpose of the cache is to lower data usage.  If you have a network with 100 endpoints, and there is a 10MB update, on the connection to your ISP you would rather download 10MB instead of 1000MB.

    There is nothing in the standard logs that tell you whether a particular request came from cache or not.

    You could potentially wait for an update to come and then see how much your data usage goes up.

    Or just trust that it is working.

  • 0 in reply to Michael Dunn

    Michael Dunn said:

     

    Or just trust that it is working.

     
    [:S] Are you serious?  I am pretty sure, that those files are stored somewhere on the XG's disk...
  • 0 in reply to HuberChristian

    When you bought your car, did you test the airbags, or do you trust they are working?  What about the anti-lock breaks - did you try them in your test drive?  What about the dozens of other features?

    When you bought XG did you actually test emailing a virus to yourself to make sure the AV in email works?  Did you actually test the hundreds of other features that you rely on?

    Have you tested that your credit card's anti-fraud measures work?

    We "just trust that it is working" hundreds of times a day.  So yes, I am serious.

    Moreover - almost all questions in this forum are in the form "I have this problem, what is the solution".  It starts with a problem and symptom.  Because it starts with a symptom it is easy to check the resolution - the symptom went away.  He is posting "I have made this configuration change, how do I know it is working?" which is a very different form - not all configuration changes and features are easy to test/demonstrate.  If he had posted "My internet usage goes very high whenever Endpoints updates, how do make it lower?" that is a symptom, with a resolution, and an definable check at the end.

     

    I'm not saying it is impossible to check.  Turn on extra debugging in the command line and look at the log files.  If he said this was very important to test, I'd tell him the steps.  But it is overkill if he is just curious.

  • 0 in reply to Michael Dunn

    Answers from Sophos getting weirder and weirder. If you do not want to help him, that's OK, but then just do not anwser this thread.

    /var/httpcache/* would be one of the answer. It seems as the Web Caching Files are stored there. It's not stored there in Cleantext what makes it hard to proof anything.

    Better solution would be checking awarrenhttp.log

    SFV4C6_VM01_SFOS 16.05.1 MR-1# tail -f /log/awarrenhttp_access.log 1488205776.697874680 [ 2804/0x7fb38ce10000] fwid=1 fwflag="" iap=0 aap=0 id="0001" name="http access" action="pass" method="CONNECT" srcip="12.1.1.2" dstip="x.x.x.x" user="" statuscode=200 cached=0 trxlen=2766 rxlen=1600 url="https://cloud.example.com/" referer="" type="" authtime=0 dnstime=2 cattime=38156 avscantime=0 fullreqtime=11286990 ua="" activity="" categoryname="None" category="0" application="None" appcat="None" appids="" exceptions="" sandbox="off"

    Cached=0 or cached=1 indicates whether a File was tekken from cache or not.

     

    PS: Yes, I am testing my Antispam and Antivirus Filter on a regular base (See my Invisible Signature from this post by the way). I'm also testing the ABS of my car on a (nearly) regular base. Discussions on that level are not bringing anybody further.

Reply
  • 0 in reply to Michael Dunn

    Answers from Sophos getting weirder and weirder. If you do not want to help him, that's OK, but then just do not anwser this thread.

    /var/httpcache/* would be one of the answer. It seems as the Web Caching Files are stored there. It's not stored there in Cleantext what makes it hard to proof anything.

    Better solution would be checking awarrenhttp.log

    SFV4C6_VM01_SFOS 16.05.1 MR-1# tail -f /log/awarrenhttp_access.log 1488205776.697874680 [ 2804/0x7fb38ce10000] fwid=1 fwflag="" iap=0 aap=0 id="0001" name="http access" action="pass" method="CONNECT" srcip="12.1.1.2" dstip="x.x.x.x" user="" statuscode=200 cached=0 trxlen=2766 rxlen=1600 url="https://cloud.example.com/" referer="" type="" authtime=0 dnstime=2 cattime=38156 avscantime=0 fullreqtime=11286990 ua="" activity="" categoryname="None" category="0" application="None" appcat="None" appids="" exceptions="" sandbox="off"

    Cached=0 or cached=1 indicates whether a File was tekken from cache or not.

     

    PS: Yes, I am testing my Antispam and Antivirus Filter on a regular base (See my Invisible Signature from this post by the way). I'm also testing the ABS of my car on a (nearly) regular base. Discussions on that level are not bringing anybody further.

Children
No Data