This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG detect wrong user group

Hi everyone,

I'm using SFOS 17.5.7 MR7. I having an issue about user group.
I have Active directory server as a authentication server. I have some group for user where i can apply policy for each.
This was running fine. But recently I notice some users are associated to wrong group.
For example I'm an IT, I supposed to be in IT group, but Sophos XG put me in Staff group, which is a default group I set in Authentication server list.
And the most weirdest thing is that although XG put me in Staff group, it applies the IT policy for me. In IT policy, I only put IT group in Identity.

I checked all the configuration following the KB https://community.sophos.com/kb/en-us/123158 and https://community.sophos.com/kb/en-us/123161 and I'm quite sure I did right.

But I have no idea what's wrong with my XG. Could you please advice?

This thread was automatically locked due to age.

Parents

0 guillaume bottollier over 6 years ago

Hello

i have troubles with XG conected to multiple AD's, that is not reconized correctly the usersgroups, and put them in the default open group.

case #8896626 is opened since weeks without any construtive answer. from support...
Cancel
Vote Up 0 Vote Down

Cancel
0 The Do over 6 years ago in reply to guillaume bottollier

It seems to be s bug of new OS. What version are you using?
Cancel
Vote Up 0 Vote Down

Cancel
0 guillaume bottollier over 6 years ago in reply to The Do

Hello

i am using v17.5.7, the most stable firmware ever released...
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to guillaume bottollier

As previously said, this is not a bug. It is a feature.

XG reads all groups (created on XG) from the AD, stores this information in the Backend and uses this for Firewall and Proxy.

So called, if you have a User in IT and User for example, and you create a firewall Rule with Group IT, this Firewall Rule will be used.

Firewall Rule uses "first match".

There is a Bug in Firewall Policy Tester, which does not deflect this behavior. The Firewall Policy Tester only uses the Primary Group - So this will give you a wrong output.

But the firewall Rule will work properly.

The Question is, what do you want to archive? Such Setups with multiple groups in it can be very complex.
Cancel
Vote Up 0 Vote Down

Cancel
0 The Do over 6 years ago in reply to LuCar Toni

I just realise one more weird thing. I set traffic shaping for IT group is unlimited. The fw put me in staff group, which supposed to have 8Mbps. When I test the bandwidth, it’s unlimited (???). But when i show fw log, it shows i’m applied the rule for Staff (based on the Rule ID). I’m really really so confused.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to The Do

Firewall Traffic Shaping will be above the direct User / Group Shaping.

So if you have a User ,which is in both Groups, but you have two rules (1. IT 2. Staff), then the IT Rule will hit and the Traffic Shaping of IT will take place.
Cancel
Vote Up 0 Vote Down

Cancel
0 The Do over 6 years ago in reply to LuCar Toni

I’m a member of only IT group in AD.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to The Do

Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD).

So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

Which groups did you import on XG?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 6 years ago in reply to The Do

Would need the Access_server Debug Log to see, if this is true (or at least the correct value delivered by AD).

So your User is only in One Group in AD? Or are there other Groups? (Maybe Nested Groups?).

Which groups did you import on XG?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 The Do over 6 years ago in reply to LuCar Toni

Hi,

Each user belongs to 2 groups, the primary group Domain users and either one of three group: IT, Staff, Faculty.

I just imported those 3 to AD. I didn't import Domain users group.
Cancel
Vote Up 0 Vote Down

Cancel