Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 57 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 315133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V17.5 user sync with Sophos Central EDR EAP no users listed in live users view?

john_kenny

I am running a licenced XG v17.5 instance and my endpoint has Central EDR Eap running but im not seeing any users in the Live users view.  I was under the impression that I should see users there that were reported from the Heartbeat sync?

What am i missing?

JK



This thread was automatically locked due to age.
Parents
  • 0 in reply to FloSupport

    Yes ive followed all the documentation i could find on the matter, from what i gather i should see usernames under the Live users view shouldnt I?  They should be sent from the Central Endpoint right?  From what i read i assumed that i should see the usernames there whether Ive got my XG linked to AD or not because Endpoint sends a username, is that right?  

    Also I know XG and Central is sending some kinda usernames from my logs: -

    Ive tried to add a user matching what i use to logon with but it didnt seem to work, i still get failed errors.

    Should i see that user in the live users view if it fails or not??

    See i cant add AD to my XG as i logon with AzureAD, but from those logs i assumed i could use local users on my XG but obviously not?

    Thanks for your reply,

    JK

  • 0 in reply to LuCar Toni

    Thanks for confirmation - thought I was 'going mad'!!!

    Does the log below from heartbeat.log on Endpoint confirm that it is passing the login info? From your earlier reply, looking at logs on XG is not something I am comfortable with and will await Sophos Support to assist with


    a 2018-12-30T11:48:19.352Z [2432:2580] - Starting Heartbeat version 1.8.59.0
    a 2018-12-30T11:48:19.352Z [2432:2580] - ----------------------------------------------------------------------------------------------------
    a 2018-12-30T11:48:20.413Z [2432:2720] - Connection succeeded.
    a 2018-12-30T11:48:20.413Z [2432:2720] - Connected to 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' at IP address xxx.xxx.xxx.xxx on port xxxx
    a 2018-12-30T11:48:20.507Z [2432:2720] - Sending network status. Active Interfaces:
    MAC: xx:xx:xx:xx:xx:xx - INET: xxx.xxx.xxx.xxx - INET6: xxxx::xxxx:xx:xxx:xxxx
    a 2018-12-30T11:48:20.538Z [2432:2720] - Received request to enable enhanced application control
    a 2018-12-30T11:48:20.538Z [2432:2720] - Sending endpoint state list request
    a 2018-12-30T11:48:20.538Z [2432:2720] - Sending login status.
    a 2018-12-30T11:48:20.538Z [2432:2720] - Received response to endpoint state list request, size: 0
    a 2018-12-30T11:48:21.895Z [2432:2720] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
    a 2018-12-30T11:49:21.307Z [2432:2720] - Sending login status.
    a 2018-12-30T11:49:54.125Z [2432:2720] - Received notification of endpoint state changes, size: 1
    a 2018-12-30T11:50:53.128Z [2432:2720] - Received notification of endpoint state changes, size: 1
    a 2018-12-30T11:51:59.583Z [2432:2720] - Received notification of endpoint state changes, size: 1
    a 2018-12-30T11:52:14.597Z [2432:2720] - Received notification of endpoint state changes, size: 1
    a 2018-12-30T15:17:22.571Z [2432:2720] - Sending login status.
    a 2018-12-30T15:17:52.575Z [2432:2720] - Sending login status.

  • +1 in reply to LuCar Toni

    Sure that was the case for standard heartbeat but from the articles ive been given to read on 17.5 synchronized user id doesn't that information still need an Ad server to authenticate against against at some point? although i may be mistaken again there as at the mom there isn't enough info on how these new 17.5 xg features all work and work with each other.

    In my case it wasn't until i had my XG's authentication source sorted that i saw the live user id show up from the heartbeat agents new user id ability.  I had already had the old heartbeat working ok it was just the user id ability which was giving me issues?? 

    As i say hopefully well get more documentation soon to clear up my confusion on the matter for one.

    But sophos will know best as paul says

    But how Lucar states user id heartbeat auth should work was exactly how simple id hoped this heartbeat agents new synced user id would work i originally thought that this would allow me to see my usernames from my endpoints in XGs live active users without needing to have AD servers setup on XG (as i stated i am using AzureAD for auth) ie all that i would need would be the The latest Central EDR eap agent running and XG v17.5 but it wasnt as simple as id imagined.  I am now sure im getting my wires crossed on how several of XGs new features work in V17.5 for one Synchronized user ID.  Ill be sure to keep an eye out for anymore KB articles / Documentation on these, as i for one am really getting confused. lol

  • 0 in reply to john_kenny

    Hello all,

    I am using XG v17.5 with Intercept-X EAP and I have setup heartbeat, but it is acting a little bit strange.

    First of all, when I log into my computer with credentials DOMAIN\username, the heartbeat authentication doesn't work at all and in XG authentication logs I can see "username" failed to login because of wrong credentials. There is no mention of DOMAIN anywhere in that log.

     

    When I log into computer with credentials username@domain, heartbeat authetication works, at least for the first 30 minutes (the credentials in logs are also in format username@domain). Everytime after 30 minutes after the first login the heartbeat fails and in the logs I see credentials just stating "username" with no domain failed to login because of wrong credentials. This also happen when I disconnect/reconnect the computer from the network.

    Has anyone else experienced this issue?

  • 0 in reply to Michal Bartos

    Although I am yet to see any sign of 'Live Users', I can confirm a couple of things.

    If I use the firewall rule and turn on match Known users with show portal to unknown users, then use a web browser from Endpoint, I am offered the login.

    If I deliberate enter wrong password it fails (as expected) and AD server informs me of failed login, so I know AD side is working. But, as you say, when you login, within authentication log, it does show the user in the format of name@domain and not the user name you used. For me, it does not recognise domain\user, I just have to enter a domain user name without the domain.

  • 0 in reply to john_kenny

    I am advised that Security Heartbeat is picking up the user, but not the domain!

    For this particular Endpoint, it is a virtual machine and I am running MSTSC to connect to it. Once connected (using domain\user) and go to cmd prompt and run set, it clearly shows both the domain and user name correctly.

    Any ideas?

  • 0 in reply to Paul Digby

    Hi Paul,

    True it will look for user details.  In order to acheive this settings the following conditions must be met..

    1. The Sophos Central Account must be linked to Sophos XG firewall.

    2. The XG firewall must be connected to the domain controller for authentication.

    3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address .

    4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile.

    On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System

  • 0 in reply to Aditya Patel

    I can confirm 1-4 above are correct.

    I can also confirm checking (Sophos Endpoint UI> About > Run Diagnostics tool. > System) it indeed confirms both the domain\username


    But still not show in Live Users


    The Sophos Support engineer (with case [#8526233]) has highlighted that the Heartbeat does not include the domain name when it receives info


    2019-01-02 17:36:26 DEBUG HBSession.cpp[2758]:176 handleHeartbeatRequest - Received login request with id 147
    2019-01-02 17:36:26 DEBUG LoginRequestHandler.cpp[2758]:71 handleExtendedRequest - Ignoring login from local user in ModuleLogin: domain field in LoginRequest is empty

  • 0 in reply to Paul Digby

    Just took a quick look into this case. You never mentioned before, you are using only VM´s with RDP connected to them. So i tried to reproduce this issue with a VM and only RDP to this. But my Client is shown under Live User. 

    Client is 2.2.2 Core agent. 

    .local Domain. 

     

    Still not sure, what is happening in your case, so i would recommend to debug this with Sophos Support. 

  • 0 in reply to LuCar Toni

    A quick update on this.

    I was asked by Sophos Support to try using LDAP instead of AD. Although this also failed, for the first time, there was an entry in the Authentication Log, to confirm failure.

    Unlike when I login with Captive Portal for same user, it records the UPN login, the failure with LDAP shows just the bit before the @

    So, I guess its a bit pf progress, although am told now LDAP will not work.

Reply
  • 0 in reply to LuCar Toni

    A quick update on this.

    I was asked by Sophos Support to try using LDAP instead of AD. Although this also failed, for the first time, there was an entry in the Authentication Log, to confirm failure.

    Unlike when I login with Captive Portal for same user, it records the UPN login, the failure with LDAP shows just the bit before the @

    So, I guess its a bit pf progress, although am told now LDAP will not work.

Children
No Data