I am running a licenced XG v17.5 instance and my endpoint has Central EDR Eap running but im not seeing any users in the Live users view. I was under the impression that I should see users there that were reported from the Heartbeat sync?
What am i missing?
JK
Hi john_kenny
For context, have you already configured the following on your firewall?
Also for reference:
Regards,
Yes ive followed all the documentation i could find on the matter, from what i gather i should see usernames under the Live users view shouldnt I? They should be sent from the Central Endpoint right? From what i read i assumed that i should see the usernames there whether Ive got my XG linked to AD or not because Endpoint sends a username, is that right?
Also I know XG and Central is sending some kinda usernames from my logs: -
Ive tried to add a user matching what i use to logon with but it didnt seem to work, i still get failed errors.
Should i see that user in the live users view if it fails or not??
See i cant add AD to my XG as i logon with AzureAD, but from those logs i assumed i could use local users on my XG but obviously not?
Thanks for your reply,
JK
First of all, Do you see anything in the live log, which could indicate, Security Heartbeat tries to authenticate somebody?
I assume, there is something "Wrong configured anywhere". Because for all customers this works fine, if everything is in place from day one.
So lets take a look.
If you see failed logins in XG logviewer by HB, this means, the EP is sending XG credentials, which XG cannot use to login this user.
EP is sending the Username (SAMAccountname) and Domain. This will be used by XG to lookup the user in AD.
I talked about this process in more detail here.
Basically Sync User ID is another approach to use the Access_server (XG Authentication Daemon) to get the user in live users.
It should not need anything configured in any firewall rule to simply show the live users.
Have you enabled NTLM? (although I dont think this is required as from what i understand the Endpoint Agent should be sending the Auth Data to XG)
Also have you setup your AD in Sophos Central web admin aswell and imported your users there too?
One other thing to check is on your XG are your endpoints showing as connected under security heartbeat? Also in your Firewall logs add a filter for Log comp then select Heartbeat in the dropdown. That will show you if your Heatbeat traffic is failing or not, also another log entry to check is under System logs which will show Central Management Events. Is that failing?
Yes = Have you enabled NTLM - but made no difference
No = have you setup your AD in Sophos Central web admin aswell and imported your users there too
Yes = are your endpoints showing as connected under security heartbeat
Yes = System Logs I see many entries as follow
Paul Digby said:Failed to send firewall information from device to CM
I think thats whats hanging you up but im not sure how to resolve that error? do you have a router in front of your XG on your WAN port or a router setup in modem mode?
There is a router in front of XG.
It basically is just used for internet connection and all incoming traffic gets forwarded to XG and any traffic received from XG goes out to internet
No = If you see failed logins in XG logviewer by HB - only information that shows under Heartbeat in Log Viewer is the entry that shows endpoint health
No = EP is sending the Username (SAMAccountname) and Domain - I don't believe that it is
That could be why XG isnt sending heartbeat to Central, have you tried putting the router in modem mode??
What is 'modem mode' and how would you do that? What am I looking for?
I have found a page on my Draytek 2862 and there is an option for PPoE Pass-through, with an option to check 'for Wired LAN'.
There is a note at the bottom that advises, the router will behave like a modem, which only serves the PPoE client or the LAN.
If I make this change, anything to change of the XG?
Should ask first do you have XG in Gateway mode or Bridge mode?? If its in bridge mode You may not need to do this after all.
You will need to setup the WAN interface on XG to PPPOE aswell and youll need your ISP username & password for the PPPOE connection (your isp will supply this over the phone if you dont have that)
So make sure you have the PPPOE credentials, put the draytek into modem mode (pppoe passthrough) then on XG change the WAN interface to PPPOE and provide the credentials. When you save that XG should connect via PPPOE, youll see your EXT ip on the WAN Interface when its connected.
Hopefully that should sort the XG to Central communication, FYI you will lose the WIFI on the Draytek in PPPOE passthrough mode. Basically having your Draytek in router mode on the WAN interface Double NATTING, putting your router into Modem mode / pppoe passthrough mode does away with that so you have a single NAT setup.
Should ask first do you have XG in Gateway mode or Bridge mode?? If its in bridge mode You may not need to do this after all.
You will need to setup the WAN interface on XG to PPPOE aswell and youll need your ISP username & password for the PPPOE connection (your isp will supply this over the phone if you dont have that)
So make sure you have the PPPOE credentials, put the draytek into modem mode (pppoe passthrough) then on XG change the WAN interface to PPPOE and provide the credentials. When you save that XG should connect via PPPOE, youll see your EXT ip on the WAN Interface when its connected.
Hopefully that should sort the XG to Central communication, FYI you will lose the WIFI on the Draytek in PPPOE passthrough mode. Basically having your Draytek in router mode on the WAN interface Double NATTING, putting your router into Modem mode / pppoe passthrough mode does away with that so you have a single NAT setup.
Thanks for explanation. I have the Login details, so no worry there.
However, does this make this setup less secure? What I mean is, the Draytek gets its public IP, then the Draytek and XG connect on a different subnet, which is different to the LAN subnet.
Its not More or Less secure to what you have now, In PPPOE passthrough mode your draytek basically becomes a modem and drops its router functions. Then XG takes over those roles on your LAN. If your XG is already in Gateway mode then your LAN interface and network wont need to change as its just the WAN interface that changes as it gets a public IP directly rather than an IP from the draytek when then NATs the traffic again.
Ive got my XG setup with my Virgin Router in Modem mode.
Its worth trying to see if it resolves your Central communications? (Also in my opinion its the prefered way to have your XG setup)
Quick Update - struggling to get Draytek in modem mode and XG to connect. XG does not move off connecting.
I know user name and password are correct as I manually typed back into Draytek when returned to normal. Must be something else on Draytek I overlooked.
Further update UK time 17:00
UK Time 15:20
Yes = Draytek router is now in Modem mode and connected
No change I'm afraid
Yes = Dashboard shows connections under Security Heartbeat
Log Viewer, System - Failed to send firewall information from device to CM
Log Viewer, Security Heartbeat - just shows Endpoint is Green
Log Viewer, Authentication - No entries
Have you checked your Central Endpoint versions to make sure there definately the EAP versions as you should be seeing events in the auth logs when you login, either success events or failed like mine shows?
But still id advise you to keep your XG and Draytek setup like that now, if you need the Wifi from your Draytek your could always get a Draytek VDSL / ADSL modem which is what i advise my clients to use with XG if there on VDSL / ADSL. See below. Its a Modem only, Then you could use your Draytek Router with its DHCP and firewall turned off for your WIFI. (Personally i use Sophos Access Points for wifi as they are manged from XG itself)
But now it sound like you need to troubleshoot your XG to Central Heartbeat communication failures. TBH i cant help with that bit as im unsure how XG and Central communicate. Anyone who can help with that Id appreciate if you could explain for us pls?
Core Agent = 2.2.2 beta
Endpoint Advanced = 10.8.3 beta
Sophos InterceptX = 2.0.11
What's the advantage of staying in 'Modem mode' (I don't need wifi)?
Here are couple of miss understandings in HB.
Let me wrap up this topic a little bit.
Heartbeat is a protocol, which XG and the Client connects.
This works without any internet connection. So it is a miss information, that the Router or anything between XG and WAN (Central) can kill the HB.
You should start to dig deeper in the logs.
Access_server (maybe in Debug with 'service access_server:debug -ds nosync') will guide you in this setup. Additionally check the heartbeatd.log.
https://community.sophos.com/kb/en-us/132211
https://community.sophos.com/kb/en-us/123185
If you do not see any reference in the logs, you could start to check the Client. There you will find a heartbeat.log. (In some of the sophos folders under C:\)
From the client (endpoint), I show the entry from the heartbeat.log today. Is there any missing information that you would expect?
Going to look at XG log next
a 2018-12-30T11:48:19.352Z [2432:2580] - Starting Heartbeat version 1.8.59.0
a 2018-12-30T11:48:19.352Z [2432:2580] - ----------------------------------------------------------------------------------------------------
a 2018-12-30T11:48:20.413Z [2432:2720] - Connection succeeded.
a 2018-12-30T11:48:20.413Z [2432:2720] - Connected to 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' at IP address xxx.xxx.xxx.xxx on port xxxx
a 2018-12-30T11:48:20.507Z [2432:2720] - Sending network status. Active Interfaces:
MAC: xx:xx:xx:xx:xx:xx - INET: xxx.xxx.xxx.xxx - INET6: xxxx::xxxx:xx:xxx:xxxx
a 2018-12-30T11:48:20.538Z [2432:2720] - Received request to enable enhanced application control
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending endpoint state list request
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending login status.
a 2018-12-30T11:48:20.538Z [2432:2720] - Received response to endpoint state list request, size: 0
a 2018-12-30T11:48:21.895Z [2432:2720] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2018-12-30T11:49:21.307Z [2432:2720] - Sending login status.
a 2018-12-30T11:49:54.125Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:50:53.128Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:51:59.583Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:52:14.597Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T15:17:22.571Z [2432:2720] - Sending login status.
a 2018-12-30T15:17:52.575Z [2432:2720] - Sending login status.
That shows ur Heartbeat user id sync is ok, are you able to manage your XG from the new Central firewall management EAP?? Again im only guessing but im sure i read somewhere that you also need to join that Central Firewall management EAP for user id to work??
If your not in it you can join that EAP from the Early Access Programs drop down item on centrals username menu.
As to XG and Modem mode, it basically means your XGs WAN int is facing the internet directly rather than being NATed again as you had your XG and draytek setup before. Without modem mode you need to port forward or use a DMZ for all traffic to the WAN int on your Draytek, also without modem mode your Drayteks firewall features would be on and then you would have 2 firewalls that could cause problems.
Basically for what i can tell it boils down to whether you want to use your XG in Bridge mode or Gateway mode, In bridge mode you could use your Draytek as your main router again but you lose quite a few of XGs features
Bridged Interfaces do not support the following features:
Yes, within Central, I can see and manage my Firewall!
I think now, I will wait for support to assist further with the case I have open. Its been well worthwhile with this thread and have advanced further but not yet resolved.
If anyone has any other ideas, they are welcome. I will update further if and when resolved.
