Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 1307 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central - XG firewall policy groups - DNS fails to apply

BTOnsite

Hi all

We are trying to get group management of a few XG firewalls (all on v18) happening in Sophos Central. Our own building XG firewall is synchronizing fine (it was put in the group months ago), but the client ones we just moved to the policy group fail to apply, due to the DNS config not applying (see below error from Sophos Central tasks queue area).

The extra confusing part is that the DNS settings are still at the defaults of "Obtain DNS from DHCP" in both the group AND on the firewalls - so they are already the same!

Any idea on how to resolve this? We have deployed 12 XG units in total, so very keen to have group wide changes push out from the Sophos Central page.

Firewall Transaction Details

ID : 1 | STATUS: FAILED | EVENT : UPDATE

DNS configuration could not be applied

failed (500){
"response": {
"Event": "UPDATE",
"Entity": "dns",
"status": "500",
"statusmessage": "failed"
},
"msg_ids": "DNS configuration could not be applied"
}

Firmware versions don't seem to make a difference as shown here:

Screenshot from Sophos Central



This thread was automatically locked due to age.
Parents
  • 0

    Hello Bentech,

    Thank you for contacting the Sophos Community!

    What are the DNS settings configured currently in the XG? What about CM?

    Do you any error in the XG in the following logs:

    centralmanagment.log, sophos-central.log, fwcm-eventd.log, fwcm-updaterd.log

    Regards,

  • +1 in reply to emmosophos
    Hi all, updating with the solution in case anyone else has this.
    It was IPv6 causing the issue. We don't use that at this stage, so on the WAN interface (port2) of XGs we had IPv6 disabled completely. This was in turn disabling the IPv6 DNS option on DNS settings screen.
    Sophos central was trying to enable the "Obtain by DHCP" for IPv6 which was not possible - the option is greyed out on the actual device.
    Enabling IPv6 on the WAN interface is thus required to be enabled in order to use Sophos Central management. Not ideal but at least we are now seeing the end device synchronise.
    It might also cause problems if you have set static DNS on the XG but I have not tested this fully - one firewall that does have static DNS is still failing to synchronise.
    This is a shame as it reduces flexibility. It would be nice if you could opt out of applying IPv4 and/or IPv6 DNS settings from the central management side!
Reply
  • +1 in reply to emmosophos
    Hi all, updating with the solution in case anyone else has this.
    It was IPv6 causing the issue. We don't use that at this stage, so on the WAN interface (port2) of XGs we had IPv6 disabled completely. This was in turn disabling the IPv6 DNS option on DNS settings screen.
    Sophos central was trying to enable the "Obtain by DHCP" for IPv6 which was not possible - the option is greyed out on the actual device.
    Enabling IPv6 on the WAN interface is thus required to be enabled in order to use Sophos Central management. Not ideal but at least we are now seeing the end device synchronise.
    It might also cause problems if you have set static DNS on the XG but I have not tested this fully - one firewall that does have static DNS is still failing to synchronise.
    This is a shame as it reduces flexibility. It would be nice if you could opt out of applying IPv4 and/or IPv6 DNS settings from the central management side!
Children
No Data