Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 29 subscribers
  • Views 10566 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG detect wrong user group

The Do

Hi everyone,

I'm using SFOS 17.5.7 MR7. I having an issue about user group.
I have Active directory server as a authentication server. I have some group for user where i can apply policy for each. 
This was running fine. But recently I notice some users are associated to wrong group.
For example I'm an IT, I supposed to be in IT group, but Sophos XG put me in Staff group, which is a default group I set in Authentication server list. 
And the most weirdest thing is that although XG put me in Staff group, it applies the IT policy for me. In IT policy, I only put IT group in Identity. 

I checked all the configuration following the KB https://community.sophos.com/kb/en-us/123158 and https://community.sophos.com/kb/en-us/123161 and I'm quite sure I did right.

But I have no idea what's wrong with my XG. Could you please advice?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to guillaume bottollier

    As previously said, this is not a bug. It is a feature. 

    XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

    So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used. 

    Firewall Rule uses "first match". 

    There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

    But the firewall Rule will work properly. 

     

    The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just realise one more weird thing. I set traffic shaping for IT group is unlimited. The fw put me in staff group, which supposed to have 8Mbps. When I test the bandwidth, it’s unlimited (???). But when i show fw log, it shows i’m applied the rule for Staff (based on the Rule ID). I’m really really so confused.

  • 0 in reply to The Do

    Firewall Traffic Shaping will be above the direct User / Group Shaping.

    So if you have a User ,which is in both Groups, but you have two rules (1. IT 2. Staff), then the IT Rule will hit and the Traffic Shaping of IT will take place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I’m a member of only IT group in AD.

  • 0 in reply to The Do

    Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

     

    So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

    Which groups did you import on XG? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Each user belongs to 2 groups, the primary group Domain users and either one of three group: IT, Staff, Faculty. 

    I just imported those 3 to AD. I didn't import Domain users group. 

  • 0 in reply to LuCar Toni

    hello  

    in my case, i have many AD's registered on the XG, with many groups imported for each.

    in certain cases, for certain users, the group is not recognized and classify by the XG as open group, even if the user is only member of on group, correctly imported in the XG.

    As i told you, case is dealt by level 3 since weeks without any news..

  • 0 in reply to guillaume bottollier

    Well I think Sophos just put user in default group. In your case, it' Open group. 

  • 0 in reply to The Do

    Please do not mix two different issues in one Thread. 

     

    First of all, did you actually order the Groups on XG? 

    Second, could you please share a screenshot of one User and the group tab? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Here you are:

     

    Before it set default group is Staff group and it put me in Staff group. Then I changed default group to Faculty group and it put me in Faculty. So I do believe XG just put me in default group. 

Cookie Information Banner