V17.5 user sync with Sophos Central EDR EAP no users listed in live users view?

Hi john_kenny 

For context, have you already configured the following on your firewall?

• Sophos XG Firewall: How to enable Security Heartbeat and Central Management

Also for reference:

• Sophos XG Firewall: How Synchronized User ID authentication works
• [Sync Sec] Important announcement on Synchronized Security Features on XG v17.5 Early Access

Regards,

Yes ive followed all the documentation i could find on the matter, from what i gather i should see usernames under the Live users view shouldnt I?  They should be sent from the Central Endpoint right?  From what i read i assumed that i should see the usernames there whether Ive got my XG linked to AD or not because Endpoint sends a username, is that right?  

Also I know XG and Central is sending some kinda usernames from my logs: -

Ive tried to add a user matching what i use to logon with but it didnt seem to work, i still get failed errors.

Should i see that user in the live users view if it fails or not??

See i cant add AD to my XG as i logon with AzureAD, but from those logs i assumed i could use local users on my XG but obviously not?

Thanks for your reply,

JK

That could be why XG isnt sending heartbeat to Central, have you tried putting the router in modem mode??  

What is 'modem mode' and how would you do that? What am I looking for?

I have found a page on my Draytek 2862 and there is an option for PPoE Pass-through, with an option to check 'for Wired LAN'.

There is a note at the bottom that advises, the router will behave like a modem, which only serves the PPoE client or the LAN.


If I make this change, anything to change of the XG?

Should ask first do you have XG in Gateway mode or Bridge mode?? If its in bridge mode You may not need to do this after all.

You will need to setup the WAN interface on XG to PPPOE aswell and youll need your ISP username & password for the PPPOE connection (your isp will supply this over the phone if you dont have that)

So make sure you have the PPPOE credentials, put the draytek into modem mode (pppoe passthrough) then on XG change the WAN interface to PPPOE and provide the credentials.  When you save that XG should connect via PPPOE, youll see your EXT ip on the WAN Interface when its connected.

Hopefully that should sort the XG to Central communication, FYI you will lose the WIFI on the Draytek in PPPOE passthrough mode.  Basically having your Draytek in router mode on the WAN interface Double NATTING, putting your router into Modem mode / pppoe passthrough mode does away with that so you have a single NAT setup.

Thanks for explanation. I have the Login details, so no worry there.

However, does this make this setup less secure? What I mean is, the Draytek gets its public IP, then the Draytek and XG connect on a different subnet, which is different to the LAN subnet.

Its not More or Less secure to what you have now, In PPPOE passthrough mode your draytek basically becomes a modem and drops its router functions.  Then XG takes over those roles on your LAN.  If your XG is already in Gateway mode then your LAN interface and network wont need to change as its just the WAN interface that changes as it gets a public IP directly rather than an IP from the draytek when then NATs the traffic again.

Ive got my XG setup with my Virgin Router in Modem mode.

Its worth trying to see if it resolves your Central communications?  (Also in my opinion its the prefered way to have your XG setup)

Quick Update - struggling to get Draytek in modem mode and XG to connect. XG does not move off connecting.

I know user name and password are correct as I manually typed back into Draytek when returned to normal. Must be something else on Draytek I overlooked.

Further update UK time 17:00

UK Time 15:20


Yes = Draytek router is now in Modem mode and connected

No change I'm afraid


Yes = Dashboard shows connections under Security Heartbeat

Log Viewer, System - Failed to send firewall information from device to CM

Log Viewer, Security Heartbeat - just shows Endpoint is Green

Log Viewer, Authentication - No entries

Have you checked your Central Endpoint versions to make sure there definately the EAP versions as you should be seeing events in the auth logs when you login, either success events or failed like mine shows?

But still id advise you to keep your XG and Draytek setup like that now,  if you need the Wifi from your Draytek your could always get a Draytek VDSL / ADSL modem which is what i advise my clients to use with XG if there on VDSL / ADSL.  See below.  Its a Modem only,  Then you could use your Draytek Router with its DHCP and firewall turned off for your WIFI.  (Personally i use Sophos Access Points for wifi as they are manged from XG itself)

https://www.ebuyer.com/869196-draytek-vigor-130-adsl-vdsl2-modem-v130-k?mkwid=sWA3N2WiH_dc&pcrid=51630194939&pkw=&pmt=&gclid=EAIaIQobChMInYrqqP3H3wIVS_lRCh3asw2sEAQYBCABEgKJzvD_BwE

But now it sound like you need to troubleshoot your XG to Central Heartbeat communication failures.  TBH i cant help with that bit as im unsure how XG and Central communicate.  Anyone who can help with that Id appreciate if you could explain for us pls?

Core Agent = 2.2.2 beta
Endpoint Advanced = 10.8.3 beta
Sophos InterceptX = 2.0.11


What's the advantage of staying in 'Modem mode' (I don't need wifi)?

Core Agent = 2.2.2 beta
Endpoint Advanced = 10.8.3 beta
Sophos InterceptX = 2.0.11


What's the advantage of staying in 'Modem mode' (I don't need wifi)?

Here are couple of miss understandings in HB.

Let me wrap up this topic a little bit.

Heartbeat is a protocol, which XG and the Client connects. 

This works without any internet connection. So it is a miss information, that the Router or anything between XG and WAN (Central) can kill the HB. 

You should start to dig deeper in the logs. 

Access_server (maybe in Debug with 'service access_server:debug -ds nosync') will guide you in this setup. Additionally check the heartbeatd.log. 

https://community.sophos.com/kb/en-us/132211

https://community.sophos.com/kb/en-us/123185

If you do not see any reference in the logs, you could start to check the Client. There you will find a heartbeat.log. (In some of the sophos folders under C:\) 

From the client (endpoint), I show the entry from the heartbeat.log today. Is there any missing information that you would expect?

Going to look at XG log next

a 2018-12-30T11:48:19.352Z [2432:2580] - Starting Heartbeat version 1.8.59.0
a 2018-12-30T11:48:19.352Z [2432:2580] - ----------------------------------------------------------------------------------------------------
a 2018-12-30T11:48:20.413Z [2432:2720] - Connection succeeded.
a 2018-12-30T11:48:20.413Z [2432:2720] - Connected to 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' at IP address xxx.xxx.xxx.xxx on port xxxx
a 2018-12-30T11:48:20.507Z [2432:2720] - Sending network status. Active Interfaces:
MAC: xx:xx:xx:xx:xx:xx - INET: xxx.xxx.xxx.xxx - INET6: xxxx::xxxx:xx:xxx:xxxx
a 2018-12-30T11:48:20.538Z [2432:2720] - Received request to enable enhanced application control
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending endpoint state list request
a 2018-12-30T11:48:20.538Z [2432:2720] - Sending login status.
a 2018-12-30T11:48:20.538Z [2432:2720] - Received response to endpoint state list request, size: 0
a 2018-12-30T11:48:21.895Z [2432:2720] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2018-12-30T11:49:21.307Z [2432:2720] - Sending login status.
a 2018-12-30T11:49:54.125Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:50:53.128Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:51:59.583Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T11:52:14.597Z [2432:2720] - Received notification of endpoint state changes, size: 1
a 2018-12-30T15:17:22.571Z [2432:2720] - Sending login status.
a 2018-12-30T15:17:52.575Z [2432:2720] - Sending login status.

That shows ur Heartbeat user id sync is ok, are you able to manage your XG from the new Central firewall management EAP??  Again im only guessing but im sure i read somewhere that you also need to join that Central Firewall management EAP for user id to work??

If your not in it you can join that EAP from the Early Access Programs drop down item on centrals username menu.

As to XG and Modem mode, it basically means your XGs WAN int is facing the internet directly rather than being NATed again as you had your XG and draytek setup before.  Without modem mode you need to port forward or use a DMZ for all traffic to the WAN int on your Draytek, also without modem mode your Drayteks firewall features would be on and then you would have 2 firewalls that could cause problems.

Basically for what i can tell it boils down to whether you want to use your XG in Bridge mode or Gateway mode, In bridge mode you could use your Draytek as your main router again but you lose quite a few of XGs features

Bridged Interfaces do not support the following features:

1. Dynamic DNS
2. Multicast Routing
3. DHCP Client
4. IPsec VPN
5. VLAN
6. Virtual Host
7. PPPoE
8. Bridge (a Bridged Interface cannot be a member of Bridge)

Quoted from https://community.sophos.com/products/xg-firewall/f/initial-setup/93224/setup-behind-wireless-modem-router-gateway-or-bridge

Yes, within Central, I can see and manage my Firewall!

I think now, I will wait for support to assist further with the case I have open. Its been well worthwhile with this thread and have advanced further but not yet resolved.

If anyone has any other ideas, they are welcome. I will update further if and when resolved.

Yeah Support is your best bet now, when you resolve the issue please post what Sophos Support did to resolve it id be interested to know myself for future reference.

Sorry couldn't be of more help myself.....