Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 26 subscribers
  • Views 3227 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS dropping users?

jkm005

Hi all

We are using STAS for authentication.

We have had to disable "match known users" from all fw rules, since XG apparently randomly drops usernames.

Below log show that user test@domain.net is logged on and everything will, until 09.41 when suddenly no username appears and fw rules would then deny access.

 

Time Log comp Action User name Firewall rule In interface Out interface Src IP Dst IP Src port Dst port Protocol Rule type
22-04-2020 09:46 Firewall Rule Allowed 34 Port4 Port1 10.81.235.117 10.81.234.120 55865 445 TCP 1
22-04-2020 09:45 Firewall Rule Allowed 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:41 Firewall Rule Allowed 41 Port4 Port1 10.81.235.117 10.81.234.123 53181 445 TCP 1
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51598 445 TCP 2
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51597 445 TCP 1
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51578 445 TCP 2
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51577 445 TCP 1

 

We see this for all users. No patterns. Not simultaneously. Sometimes STAS has to be disabled/re-enabled on XG to get users authenticated.

 

Anyone know what we may have misconfigured?

 

Thanks 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    Ok so here's what happens.. My workstation IP is 192.168.1.120 I am connect as user: test .. I connect to RDPserver with IP 192.168.2.100 using other username: testRDP

    So now STAS think testRDP is logged on to my IP (192.168.1.120 is not the IP of RDPServer):

     

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: User: testRDP

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: Domain: domain.net

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: WrkstName: RDPServer

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: WrkstIP: 192.168.1.120

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: CreateTime: 1587638919

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: LogonType: 10

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : Adding user info to db and Sophos  

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username: comparing username for exclusion: User from UTM 'testRDP' (6) : User in the list 'svc_whd@domain.net' (19)

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username: comparing username for exclusion: User from UTM 'testRDP' (6) : User in the list 'administrator' (13)

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='192.168.1.120';

     

    DEBUG [0x17a4] 23-04-2020 12:48:40 : userdb_insert_userinfo: no matching userinfo found

  • 0 in reply to Keyur

    Thank you -  that's seems to be exactly the problem. No solution from Sophos it seems :/

     

     

  • 0 in reply to jkm005

    Hi  

    I understand your concern and point you are trying to make but as of now it is working as stated, Please upvote the feature request shared in the previous post.