Sophos XG detect wrong user group

Hello

i have troubles with XG conected to multiple AD's, that is not reconized correctly the usersgroups, and put them in the default open group.

case #8896626 is opened since weeks without any construtive answer. from support...

It seems to be s bug of new OS. What version are you using?

Hello

i am using v17.5.7, the most stable firmware ever released...

As previously said, this is not a bug. It is a feature. 

XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used. 

Firewall Rule uses "first match". 

There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

But the firewall Rule will work properly. 

The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex. 

As previously said, this is not a bug. It is a feature. 

XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used. 

Firewall Rule uses "first match". 

There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

But the firewall Rule will work properly. 

The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex. 

I just realise one more weird thing. I set traffic shaping for IT group is unlimited. The fw put me in staff group, which supposed to have 8Mbps. When I test the bandwidth, it’s unlimited (???). But when i show fw log, it shows i’m applied the rule for Staff (based on the Rule ID). I’m really really so confused.

Firewall Traffic Shaping will be above the direct User / Group Shaping.

So if you have a User ,which is in both Groups, but you have two rules (1. IT 2. Staff), then the IT Rule will hit and the Traffic Shaping of IT will take place. 

I’m a member of only IT group in AD.

Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD). 

So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

Which groups did you import on XG? 

Hi,

Each user belongs to 2 groups, the primary group Domain users and either one of three group: IT, Staff, Faculty. 

I just imported those 3 to AD. I didn't import Domain users group. 

hello LuCar Toni 

in my case, i have many AD's registered on the XG, with many groups imported for each.

in certain cases, for certain users, the group is not recognized and classify by the XG as open group, even if the user is only member of on group, correctly imported in the XG.

As i told you, case is dealt by level 3 since weeks without any news..

Well I think Sophos just put user in default group. In your case, it' Open group. 

Please do not mix two different issues in one Thread. 

First of all, did you actually order the Groups on XG? 

Second, could you please share a screenshot of one User and the group tab? 

Here you are:

Before it set default group is Staff group and it put me in Staff group. Then I changed default group to Faculty group and it put me in Faculty. So I do believe XG just put me in default group. 

Yep, XG put the user in default group if it does not find any match, this is totally logical.

Exept that in our cases, there is a group, imported on the XG, that it does not recognize...