Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 181 replies
  • Answers 1 answer
  • Subscribers 76 subscribers
  • Views 35293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v18.5 MR2: Feedback and experiences

LuCar Toni

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v18-5-mr2-is-now-available

Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html

"Old" V18.5 MR1 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/128960/sophos-firewall-v18-5-mr1-feedback-and-experiences/

"Old" V18.0 MR5 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/127053/xg-firewall-v18-mr-5-feedback-and-experiences

Please review: https://support.sophos.com/support/s/article/KB-000043489?language=en_US



Prio
[gesperrt von: LuCar Toni um 8:07 AM (GMT -7) am 26 Mar 2022]
  • 0 in reply to rfcat_vk

    Hi Ian,

    After upgrading to 18.5.2 MR2 I did see similar behaviour to what you're describing, until I realised that my primary laptop was associating with the far end mesh AP (APX 530, typical RSSI of -71 dBm). The near end mesh AP (APX 530, typical RSSI of -43 dBm) was offline, as is so often the case after an XG restart. Once I power cycled the near end mesh AP and it successfully joined the mesh, then my laptop performance was back to normal.

    Maybe worth investigating to see if your performance issues are WiFi related?

    BTW I wouldn't touch another XG/XGS unit with built-in WiFi. Doesn't scale when you need to add additional APs as the built-in WiFi AP is a special case, and a complete pain if you want to upgrade to a non-WiFi unit (either configure from scratch, or export full config, wade through config file and excise local WiFi settings, re-order config file to ensure dependencies are parsed first, import config into clean install, then export full config from both units and compare with diff/WinMerge or check page-by-page to ensure migrated config is right).

  • 0 in reply to ChrisKnight

    Hi Chris,

    the issues are with my mac mini which is hardwired which is what I was testing with. The built-in wifi I gave up and restored my other APs, the built-in wifi could not connect to most of wifi devices reliably.

    Currently the box is dead eg you can't configure much because it is soooo slow. The speedest still max'es the line out.

    Thank you for the detailed update from your equipment.

  • 0 in reply to rfcat_vk

    Hi Ian,

    just want to ask what browser do you use for XG administration? I have 3 XG boxes (115 to 135) and one is super slow to config. I figured out it was the browser (MS Edge which is basicaly Chrome). I do now always start the browser in private/incognito mode and the web GUI is much faster. So just letting you know.

    Martin

  • 0 in reply to Martin Hampl

    Hi Martin,

    I primarily use safari and then FF, but today I ended up using edge on w10. The w10 machine is used mainly for photo scanning so it doesn't have many extras installed.

    Ian

  • 0 in reply to LuCar Toni

    Thanks for testing it . Please note we were on 18.0 MR6 before. And probably in a lot of environments, this error doesn't happen. But we're known to pick a lot of the bad apples... Maybe this is again related to HA environment.

    I got the MCS logs from a client computer which hadn't been re-installed with endpoint and will forward that SDU to support FTP.

    "But MCS still works due the whitelisting of SFOS."

    Yes, that is also true here. The Clients are allowed to go to all the Central without Webinterception on the XG, are allowed to DNS, no HB requirement and block without heartbeat on all those basic network FW rules. They were showing with up-2-date time stamp in Central, so management communication was working.

    see heartbeatlog issues of that client.

    Working 22-1-7
    FW Upgrade on 22-1-8
    Connection failed until working again 22-1-10

    heartbeat.log:

    2022-01-07T13:59:32.308Z [ 5760: 7932] A Connection succeeded.
2022-01-07T13:59:32.310Z [ 5760: 7932] A Connected to 'ed98a5bf-ede8-4fbd-99b1-b0b1b0b13f1b' at IP address 52.5.76.173 on port 8347
2022-01-07T13:59:32.323Z [ 5760: 7932] A Connection closed (network error).
2022-01-07T13:59:32.324Z [ 5760: 7936] A Inactive Interfaces changed.
2022-01-07T13:59:33.340Z [ 5760: 7932] A Connection failed.
2022-01-08T06:55:12.246Z [ 5756: 6384] A ----------------------------------------------------------------------------------------------------
2022-01-08T06:55:12.247Z [ 5756: 6384] A Starting Heartbeat version 1.15.783.0
2022-01-08T06:55:12.248Z [ 5756: 6384] A ----------------------------------------------------------------------------------------------------
2022-01-08T06:55:12.300Z [ 5756: 7856] A Connection failed.
2022-01-08T06:55:42.389Z [ 5756: 7856] E TLS authentication failed after connecting.
2022-01-08T06:58:15.178Z [ 5756: 7856] A Connection failed.
2022-01-08T06:58:59.377Z [ 5792: 6496] A ----------------------------------------------------------------------------------------------------
2022-01-08T06:58:59.402Z [ 5792: 6496] A Starting Heartbeat version 1.15.783.0
2022-01-08T06:58:59.402Z [ 5792: 6496] A ----------------------------------------------------------------------------------------------------
2022-01-08T06:58:59.512Z [ 5792: 8076] E TLS authentication failed after connecting.
2022-01-08T06:59:29.600Z [ 5792: 8076] A Connection failed.
2022-01-08T07:03:04.545Z [ 5580: 6224] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:03:04.546Z [ 5580: 6224] A Starting Heartbeat version 1.15.783.0
2022-01-08T07:03:04.547Z [ 5580: 6224] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:03:04.643Z [ 5580: 7712] E TLS authentication failed after connecting.
2022-01-08T07:07:13.311Z [ 5708: 6588] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:07:13.312Z [ 5708: 6588] A Starting Heartbeat version 1.15.783.0
2022-01-08T07:07:13.313Z [ 5708: 6588] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:07:13.422Z [ 5708: 8012] E TLS authentication failed after connecting.
2022-01-08T07:08:34.669Z [ 5708: 8012] A Connection failed.
2022-01-08T07:11:14.053Z [ 5708: 8012] E TLS authentication failed after connecting.
2022-01-08T07:13:12.163Z [ 5708: 6588] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:12.164Z [ 5708: 6588] A Stopped Heartbeat
2022-01-08T07:13:12.165Z [ 5708: 6588] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:14.529Z [ 7552:17376] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:14.529Z [ 7552:17376] A Starting Heartbeat version 1.15.783.0
2022-01-08T07:13:14.530Z [ 7552:17376] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:14.676Z [ 7552:14032] E TLS authentication failed after connecting.
2022-01-08T09:46:55.603Z [ 7552: 3476] A The connection configuration has changed. Reloading settings.
2022-01-08T09:46:55.615Z [ 7552:14328] E 2015: The configuration could not be loaded. Default parameters will be used.
2022-01-08T09:46:55.616Z [ 7552: 3476] E 2015: The configuration could not be loaded. Default parameters will be used.
2022-01-08T09:46:55.617Z [ 7552:14328] A The stonewalling configuration has changed. Reloading settings.
2022-01-08T09:47:11.030Z [ 7552: 3476] A The connection configuration has changed. Reloading settings.
2022-01-08T09:47:11.031Z [ 7552:14328] A The stonewalling configuration has changed. Reloading settings.
2022-01-08T09:47:11.033Z [ 7552: 3476] A The connection configuration has changed. Reloading settings.
2022-01-08T09:51:15.060Z [ 7552:17376] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:51:15.061Z [ 7552:17376] A Stopped Heartbeat
2022-01-08T09:51:15.062Z [ 7552:17376] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:51:15.856Z [13524: 4468] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:51:15.857Z [13524: 4468] A Starting Heartbeat version 1.15.783.0
2022-01-08T09:51:15.858Z [13524: 4468] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:51:16.023Z [13524:15816] E TLS authentication failed after connecting.
2022-01-08T09:58:16.239Z [ 5452: 6284] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:58:16.240Z [ 5452: 6284] A Starting Heartbeat version 1.15.783.0
2022-01-08T09:58:16.241Z [ 5452: 6284] A ----------------------------------------------------------------------------------------------------
2022-01-08T09:58:16.277Z [ 5452: 7544] A Connection failed.
2022-01-08T10:01:34.927Z [ 5452: 7544] E TLS authentication failed after connecting.
2022-01-08T10:03:33.687Z [ 5640: 6600] A ----------------------------------------------------------------------------------------------------
2022-01-08T10:03:33.688Z [ 5640: 6600] A Starting Heartbeat version 1.15.783.0
2022-01-08T10:03:33.689Z [ 5640: 6600] A ----------------------------------------------------------------------------------------------------
2022-01-08T10:03:33.798Z [ 5640: 7860] E TLS authentication failed after connecting.
2022-01-08T10:05:10.127Z [ 5640: 7860] A Connection failed.
2022-01-08T10:07:49.448Z [ 5640: 7860] E TLS authentication failed after connecting.
2022-01-08T12:18:18.945Z [ 5640: 7860] A Connection failed.
2022-01-08T12:45:35.451Z [ 5640: 7860] E TLS authentication failed after connecting.
2022-01-08T12:51:08.528Z [ 5640: 7860] A Connection failed.
2022-01-08T12:55:38.696Z [ 5640: 7860] E TLS authentication failed after connecting.
2022-01-08T12:59:10.473Z [ 5640: 7860] A Connection failed.
2022-01-08T13:16:38.627Z [ 5640: 7860] E TLS authentication failed after connecting.
2022-01-08T16:55:35.349Z [ 5640: 6600] A ----------------------------------------------------------------------------------------------------
2022-01-08T16:55:35.350Z [ 5640: 6600] A Stopped Heartbeat
2022-01-08T16:55:35.350Z [ 5640: 6600] A ----------------------------------------------------------------------------------------------------
2022-01-10T07:55:27.201Z [ 5400: 5684] A ----------------------------------------------------------------------------------------------------
2022-01-10T07:55:27.202Z [ 5400: 5684] A Starting Heartbeat version 1.15.783.0
2022-01-10T07:55:27.202Z [ 5400: 5684] A ----------------------------------------------------------------------------------------------------
2022-01-10T07:55:27.243Z [ 5400: 7464] A Connection failed.
2022-01-10T08:02:09.174Z [ 5400: 7432] A The connection configuration has changed. Reloading settings.
2022-01-10T08:02:09.191Z [ 5400: 7432] A The connection configuration has changed. Reloading settings.
2022-01-10T08:02:39.907Z [ 5400: 7464] A Connection succeeded.

    note: 2022-01-08T09:46:55 ... E 2015: The configuration could not be loaded. Default parameters will be used.
    At that point the heartbeat issue was already happening for more than 2 hours and we tried to work around the issue by deleting the heartbeat.xml file on that client manually. did not solve the issue as you can see. The EP heartbeat was working again on Jan 10th without further action by us.

    MCSAgent Log contains no issues.

    MCSClient log shows communication to Central was fine:

    2022-01-08T07:13:04.143Z [12312: 1324] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:04.145Z [12312: 1324] A Starting version 4.15.70.0 of the Sophos MCS Client service.
2022-01-08T07:13:04.145Z [12312: 1324] A ----------------------------------------------------------------------------------------------------
2022-01-08T07:13:04.164Z [12312:16120] I The configuration monitor thread was started.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'statusRegulationDelay' set to 60.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'maximumStatusRegulationDelay' set to 300.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'statusTimeToLive' set to 43200.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'responseRegulationDelay' set to 1.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'maximumResponseRegulationDelay' set to 1.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'errorCountTimeout' set to 300.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'eventRegulationDelay' set to 1.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'maximumEventRegulationDelay' set to 5.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'maximumAggregatedEvents' set to 32.
2022-01-08T07:13:04.164Z [12312:14348] I Config: setting 'commandPollingInterval' set to 55.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'flagsPollingInterval' set to 14400.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'policyPollingInterval' set to 300.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'policyTimeToLive' set to 345600.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'maximumBackoffCount' set to 10.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'maximumBackoffSeconds' set to 7200.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'randomSkewFactor' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'httpConnectTimeout' set to 30.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'httpSendTimeout' set to 30.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'httpReceiveTimeout' set to 30.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'statusCacheDuration' set to 604800.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'useSystemProxy' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'useAutomaticProxy' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'useDirect' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'diagnosticTrailLocation' set to C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'registrationToken' set to xxxxxxxxxxxxxxxxxx6f305f2cf397.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'presignedUrlServiceUrl' set to https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep/presignedurls.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'presignedUrlServiceCredentials' set to xxxxxxxxxxxxP0ZQp6Mqg9H4=.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'pushPollRegulationDelayMilliseconds' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'pushMaximumPollRegulationDelayMilliseconds' set to 1.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'pushPingTimeout' set to 90.
2022-01-08T07:13:04.165Z [12312:14348] I Config: setting 'pushFallbackPollInterval' set to 55.
2022-01-08T07:13:04.168Z [12312:14348] I Periodic evaluation interval configured for every 86400 seconds
2022-01-08T07:13:04.170Z [12312:12668] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\APPWL\Incoming
2022-01-08T07:13:04.171Z [12312: 4480] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\EDR\Incoming
2022-01-08T07:13:04.171Z [12312:14104] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\ForensicSnapshot\Incoming
2022-01-08T07:13:04.171Z [12312: 1492] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\RCA\Incoming
2022-01-08T07:13:04.171Z [12312:17240] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\FIM\Incoming
2022-01-08T07:13:04.171Z [12312:14840] I Starting directory change monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming
2022-01-08T07:13:04.172Z [12312:14348] I The Windows event log has been initialized.
2022-01-08T07:13:04.287Z [12312:14348] I Device ID: 4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx
2022-01-08T07:13:04.287Z [12312:14348] I Tenant ID: f2783ff7-0c37-47e6-9d34-be7dd2a07095
2022-01-08T07:13:04.287Z [12312:14348] I Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT LIVEQUERY LIVETERMINAL MDR NTP SAV SDU WEBCNTRL XPD
2022-01-08T07:13:04.287Z [12312:14348] I Authentication token expires at 2022-01-08T07:58:34Z
2022-01-08T07:13:04.298Z [12312:12140] I service tamper protection enabled
2022-01-08T07:13:04.456Z [12312:12828] I [connect] trying server https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep
2022-01-08T07:13:04.457Z [12312:12828] I [connect] trying direct connection without a proxy
2022-01-08T07:13:04.457Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep
2022-01-08T07:13:04.584Z [12312:12828] I 200 : sent=0 rcvd=168 elapsed=127ms
2022-01-08T07:13:04.584Z [12312:12828] I [connect] using server https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep without a proxy (peer address 3.127.212.169)
2022-01-08T07:13:04.585Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/flags/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:13:04.619Z [12312:12828] I 200 : sent=0 rcvd=1583 elapsed=34ms
2022-01-08T07:13:04.620Z [12312:12828] I Saved the Central flags
2022-01-08T07:13:04.622Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:13:04.639Z [12312:12828] I 200 : sent=0 rcvd=140 elapsed=17ms
2022-01-08T07:13:04.787Z [12312:12828] I AGENT status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.793Z [12312:12828] I SAV status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.794Z [12312:12828] I SWC status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.796Z [12312:12828] I ALC status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.797Z [12312:12828] I CORC status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.798Z [12312:12828] I CORE status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.799Z [12312:12828] I HBT status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.800Z [12312:12828] I HMPA status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.801Z [12312:12828] I LiveQuery status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.802Z [12312:12828] I MCS status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.803Z [12312:12828] I MDR status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.804Z [12312:12828] I NTP status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.804Z [12312:12828] I SDU status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.805Z [12312:12828] I SHS status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.806Z [12312:12828] I UI status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:13:04.807Z [12312:12828] I PUT https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/statuses/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:13:04.838Z [12312:12828] I 200 : sent=1811 rcvd=0 elapsed=31ms
2022-01-08T07:13:04.841Z [12312:12828] I EFW status processed <- 20220108071303-0005-status-EFW.xml
2022-01-08T07:13:04.842Z [12312:12828] I The agent status has changed to: {domain=domain, is_in_domain=1, computer_name=hostname, operating_system=WIN10, operating_system_friendly_name=Windows 10 Enterprise , os_major_version=10, os_minor_version=0, product_type=4, installation_type=Client, is_server=0, is_domain_controller=0, is_terminal_server=0, build_number=19042, system_language=1031, service_pack_major_version=0, service_pack_minor_version=0, computer_comment=, last_logged_on_user=domain\user, group_on_bootstrap=, user_sessions=((userDomain=domain, userName=user, userPrincipalName=user@domain.de, userSid=S-1-5-21-1803570019-140194396-1541874228-17022, state=0, type=0)), ipv4Addresses=(10.xxx.xxx.11, 192.xxx.xxx.51), ipv6Addresses=(2a02:8071:019c:b900:19ed:45d3:3761:fe1c, 2a02:8071:019c:b900:dd50:c004:9721:f015), macAddresses=(00:FF:BA:EB:40:BC, E4:46:B0:00:2B:2A, 14:85:7F:9D:74:CB, 16:85:7F:9D:74:CA, 14:85:7F:9D:74:CA, 14:85:7F:9D:74:CE), fullyQualifiedDomainName=hostname.domain.de, processorArchitecture=x64, deviceId=4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx, tenantId=f2783ff7-0c37-47e6-9d34-be7dd2a07095, products=(antivirus, intercept, mdr)}.
2022-01-08T07:13:04.842Z [12312:12828] I Establishing push connection
2022-01-08T07:13:04.844Z [12312:12828] I [push]: [connect] trying server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps
2022-01-08T07:13:04.844Z [12312:12828] I [push]: [connect] trying direct connection without a proxy
2022-01-08T07:13:04.844Z [12312:12828] I GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps
2022-01-08T07:13:04.933Z [12312:12828] I 200 : sent=0 rcvd=0 elapsed=88ms
2022-01-08T07:13:04.933Z [12312:12828] I [push]: [connect] using server https://mcs-push-server-eu-central-1.prod.hydra.sophos.com/ps without a proxy (peer address 18.195.226.46)
2022-01-08T07:13:04.934Z [12312:12828] I (async) GET https://mcs-push-server-eu-central-1.prod.hydra.sophos.com:443/ps/push/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:13:05.113Z [12312: 7240] I (async) 200 : connection established
2022-01-08T07:13:05.113Z [12312: 7240] I (async) 200 : chunk=1 rcvd=6 conntime=179ms
2022-01-08T07:13:05.113Z [12312: 7240] I Push connection was disconnected. Not triggering a command poll
2022-01-08T07:13:05.125Z [12312:12828] I The telemetry data is: {"mcs":{"agent":{"cloudPlatform":""},"flags":{"amsi-uac.available":true,"amsi.available":true,"amsi.block-and-clean.enabled":true,"amsi.fastregex.available":true,"behavioral-blocking.available":true,"behavioral.bms.enabled":true,"boot.modernweb.available":true,"boot.modernweb.block_by_scan":true,"boot.modernweb.block_by_url":true,"boot.modernweb.can_decrypt":true,"boot.sed.runtimeiocsjournal.available":true,"boot.ssp-clean.available":true,"boot.sting20.c2c3detections.enabled":true,"boot.sting20.datalossprevention.enabled":true,"boot.sting20.devicecontrol.enabled":true,"boot.sting20.downloadrepscanning.enabled":true,"boot.sting20.ondemandscanning.enabled":true,"boot.sting20.pejitscanning.enabled":true,"boot.sting20.realtimescanning.enabled":true,"boot.sting20.sscm.enabled":true,"boot.sting20.webcontrol.enabled":true,"boot.sting20.webprotection.enabled":true,"health.threat-services.enabled":false,"hmpa.amsiguard.enforce":true,"hmpa.amsiguard.silent":true,"hmpa.apisetguard.enforce":true,"hmpa.apisetguard.silent":true,"hmpa.branchtracing.enforce":true,"hmpa.branchtracing.silent":true,"hmpa.can-terminate-system-process.available":true,"hmpa.cookieguard.enforce":false,"hmpa.cookieguard.silent":true,"hmpa.credguard.v2.enforce":false,"hmpa.credguard.v2.silent":true,"hmpa.credguardsamreg.enforce":true,"hmpa.credguardsamreg.silent":true,"hmpa.cryptoguard.v5.enforce":false,"hmpa.cryptoguardefs.enforce":true,"hmpa.cryptoguardefs.silent":true,"hmpa.ctfguard.enforce":true,"hmpa.ctfguard.silent":true,"hmpa.heapheaphooray.enforce":true,"hmpa.heapheaphooray.silent":true,"hmpa.heapheaphooray.v2.enforce":true,"hmpa.heapheaphooray.v2.silent":true,"hmpa.ignore-attested.available":false,"hmpa.lockdownautorun.v2.enforce":true,"hmpa.lockdownmemory.v2.enforce":true,"hmpa.lockdownmemory.v2.silent":true,"hmpa.stackpivot.enforce":false,"ips.available":true,"ips.available_win7":true,"ips.filter.inbound":true,"ips.filter.outbound":true,"livequery.network-tables.available":true,"mlwindowsdir.available":true,"pinnedglobalreplocal.available":true,"pinnedglobalrepnetwork.available":true,"repair.available":false,"sav.hips.disabled":true,"scheduled_queries.next":false,"sdds3.ready":true,"sed.msthreatintel.enabled":false,"sed.multithreaded-hashing.enabled":true,"sed.pseudohandle-events.enabled":true,"sed.stricter-sophos-event-filtering.enabled":true,"sed.tp2020-denyfilelocks-win10.available":true,"sed.tp2020-denyfilelocks-win7-win8.available":true,"sed.tp2020-forcefilesharing-win10.available":true,"sed.tp2020-forcefilesharing-win7-win8.available":true,"sed.tp2020-oplocks-win10.available":true,"sed.tp2020-oplocks-win7-win8.available":false,"sed.tp2020-process-win10.available":true,"sed.tp2020-process-win7.available":true,"sed.tp2020-process-win8.available":true,"sed.tp2021-log-win10.available":true,"sed.tp2021-log-win7-win8.available":true,"sed.tpsafeboot.available":true,"ssp-clean.enabled":true,"ssp.appc.reporting.available":true,"ssp.clear-historian-db-file.enabled":true,"ssp.instant-core-clean-items.available":true,"ssp.multiplefilesubmission.available":true,"ssp.static.postanalysis.available":true,"ssp.submitfilemetadata.available":true,"sting20-pe.enabled":true,"su-setup.available":true,"vdldetections.available":true,"ztna.available":true},"preferredServer":{"server":"mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com","viaProxy":false,"viaMessageRelay":false,"authScheme":0},"pushServer":{"server":"mcs-push-server-eu-central-1.prod.hydra.sophos.com","isConnected":true},"remapper":{}}}
2022-01-08T07:13:38.080Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:13:38.113Z [12312:12828] I 200 : sent=9538 rcvd=0 elapsed=33ms
2022-01-08T07:13:38.113Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071333070.json result 0 purge false
2022-01-08T07:13:38.113Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071333070.json
2022-01-08T07:13:59.895Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:13:59.914Z [12312:12828] I 200 : sent=0 rcvd=140 elapsed=18ms
2022-01-08T07:14:04.859Z [12312: 7240] I (async) 200 : chunk=2 rcvd=7 conntime=60180ms
2022-01-08T07:14:04.860Z [12312: 7240] I The configuration has changed. Reloading settings.
2022-01-08T07:14:08.229Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:14:08.266Z [12312:12828] I 200 : sent=1298 rcvd=0 elapsed=37ms
2022-01-08T07:14:08.266Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071403221.json result 0 purge false
2022-01-08T07:14:08.266Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071403221.json
2022-01-08T07:14:08.279Z [12312:12828] I The telemetry data is: {"mcs":{"agent":{"cloudPlatform":""},"flags":{"amsi-uac.available":true,"amsi.available":true,"amsi.block-and-clean.enabled":true,"amsi.fastregex.available":true,"behavioral-blocking.available":true,"behavioral.bms.enabled":true,"boot.modernweb.available":true,"boot.modernweb.block_by_scan":true,"boot.modernweb.block_by_url":true,"boot.modernweb.can_decrypt":true,"boot.sed.runtimeiocsjournal.available":true,"boot.ssp-clean.available":true,"boot.sting20.c2c3detections.enabled":true,"boot.sting20.datalossprevention.enabled":true,"boot.sting20.devicecontrol.enabled":true,"boot.sting20.downloadrepscanning.enabled":true,"boot.sting20.ondemandscanning.enabled":true,"boot.sting20.pejitscanning.enabled":true,"boot.sting20.realtimescanning.enabled":true,"boot.sting20.sscm.enabled":true,"boot.sting20.webcontrol.enabled":true,"boot.sting20.webprotection.enabled":true,"health.threat-services.enabled":false,"hmpa.amsiguard.enforce":true,"hmpa.amsiguard.silent":true,"hmpa.apisetguard.enforce":true,"hmpa.apisetguard.silent":true,"hmpa.branchtracing.enforce":true,"hmpa.branchtracing.silent":true,"hmpa.can-terminate-system-process.available":true,"hmpa.cookieguard.enforce":false,"hmpa.cookieguard.silent":true,"hmpa.credguard.v2.enforce":false,"hmpa.credguard.v2.silent":true,"hmpa.credguardsamreg.enforce":true,"hmpa.credguardsamreg.silent":true,"hmpa.cryptoguard.v5.enforce":true,"hmpa.cryptoguardefs.enforce":true,"hmpa.cryptoguardefs.silent":true,"hmpa.ctfguard.enforce":true,"hmpa.ctfguard.silent":true,"hmpa.heapheaphooray.enforce":true,"hmpa.heapheaphooray.silent":true,"hmpa.heapheaphooray.v2.enforce":true,"hmpa.heapheaphooray.v2.silent":true,"hmpa.ignore-attested.available":false,"hmpa.lockdownautorun.v2.enforce":true,"hmpa.lockdownmemory.v2.enforce":true,"hmpa.lockdownmemory.v2.silent":true,"hmpa.stackpivot.enforce":false,"ips.available":true,"ips.available_win7":true,"ips.filter.inbound":true,"ips.filter.outbound":true,"livequery.network-tables.available":true,"mlwindowsdir.available":true,"pinnedglobalreplocal.available":true,"pinnedglobalrepnetwork.available":true,"repair.available":false,"sav.hips.disabled":true,"scheduled_queries.next":false,"sdds3.ready":true,"sed.msthreatintel.enabled":false,"sed.multithreaded-hashing.enabled":true,"sed.pseudohandle-events.enabled":true,"sed.stricter-sophos-event-filtering.enabled":true,"sed.tp2020-denyfilelocks-win10.available":true,"sed.tp2020-denyfilelocks-win7-win8.available":true,"sed.tp2020-forcefilesharing-win10.available":true,"sed.tp2020-forcefilesharing-win7-win8.available":true,"sed.tp2020-oplocks-win10.available":true,"sed.tp2020-oplocks-win7-win8.available":false,"sed.tp2020-process-win10.available":true,"sed.tp2020-process-win7.available":true,"sed.tp2020-process-win8.available":true,"sed.tp2021-log-win10.available":true,"sed.tp2021-log-win7-win8.available":true,"sed.tpsafeboot.available":true,"ssp-clean.enabled":true,"ssp.appc.reporting.available":true,"ssp.clear-historian-db-file.enabled":true,"ssp.instant-core-clean-items.available":true,"ssp.multiplefilesubmission.available":true,"ssp.static.postanalysis.available":true,"ssp.submitfilemetadata.available":true,"sting20-pe.enabled":true,"su-setup.available":true,"vdldetections.available":true,"ztna.available":true},"preferredServer":{"server":"mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com","viaProxy":false,"viaMessageRelay":false,"authScheme":0},"pushServer":{"server":"mcs-push-server-eu-central-1.prod.hydra.sophos.com","isConnected":true},"remapper":{}}}
2022-01-08T07:14:38.308Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:14:38.337Z [12312:12828] I 200 : sent=985 rcvd=0 elapsed=28ms
2022-01-08T07:14:38.337Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071433313.json result 0 purge false
2022-01-08T07:14:38.337Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071433313.json
2022-01-08T07:14:54.712Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:14:54.738Z [12312:12828] I 200 : sent=0 rcvd=140 elapsed=26ms
2022-01-08T07:15:04.483Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:15:04.516Z [12312:12828] I 200 : sent=1084 rcvd=0 elapsed=33ms
2022-01-08T07:15:04.517Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071459481.json result 0 purge false
2022-01-08T07:15:04.517Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071459481.json
2022-01-08T07:15:04.603Z [12312:10384] I (async) 200 : chunk=3 rcvd=7 conntime=120177ms
2022-01-08T07:15:12.734Z [12312:12828] I HMPA status is identical to last cached status, ignoring timestamp: NOT sending to server
2022-01-08T07:15:12.736Z [12312:12828] I PUT https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/statuses/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:15:12.805Z [12312:12828] I 200 : sent=13056 rcvd=0 elapsed=69ms
2022-01-08T07:15:12.815Z [12312:12828] I ALC status processed <- 20220108071315-0010-status-ALC.xml
2022-01-08T07:15:12.817Z [12312:12828] I APPSPROXY status processed <- 20220108071402-0011-status-APPSPROXY.xml
2022-01-08T07:15:38.485Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:15:38.532Z [12312:12828] I 200 : sent=1027 rcvd=0 elapsed=47ms
2022-01-08T07:15:38.532Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071533475.json result 0 purge false
2022-01-08T07:15:38.532Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071533475.json
2022-01-08T07:15:49.527Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:15:49.550Z [12312:12828] I 200 : sent=0 rcvd=140 elapsed=23ms
2022-01-08T07:16:04.352Z [12312:10384] I (async) 200 : chunk=4 rcvd=7 conntime=180180ms
2022-01-08T07:16:38.666Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/v2/data_feed/device/4b500259-127a-xxxxxxxx-aab5-xxxxxxxxxx/feed_id/scheduled_query
2022-01-08T07:16:38.701Z [12312:12828] I 200 : sent=813 rcvd=0 elapsed=35ms
2022-01-08T07:16:38.702Z [12312:12828] I Feed channel scheduled_query: uploading file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071633672.json result 0 purge false
2022-01-08T07:16:38.702Z [12312:12828] I Feed channel scheduled_query: uploaded file C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming\scheduled-20220108071633672.json
2022-01-08T07:16:44.346Z [12312:12828] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxxxxx-aa5b-xxxxxxxxx
2022-01-08T07:16:44.369Z [12312:12828] I 200 : sent=0 rcvd=140 elapsed=23ms
2022-01-08T07:17:04.098Z [12312:10384] I (async) 200 : chunk=5 rcvd=7 conntime=240179ms
2022-01-08T07:17:08.700Z [12312:12828] I POST https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443

    An other log snip of MSClient where you can see exact timestamps that had failures in the heatbeat log shown above:

    2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'diagnosticTrailLocation' set to C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'registrationToken' set to xxxxxxxxxxxxxxxxx.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'presignedUrlServiceUrl' set to https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep/presignedurls.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'presignedUrlServiceCredentials' set to xxxxxxxxxxxxxxJuH50qiP0ZQp6Mqg9H4=.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'pushPollRegulationDelayMilliseconds' set to 1.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'pushMaximumPollRegulationDelayMilliseconds' set to 1.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'pushPingTimeout' set to 90.
2022-01-08T10:03:32.932Z [ 5836: 6456] I Config: setting 'pushFallbackPollInterval' set to 55.
2022-01-08T10:03:33.075Z [ 5836: 6456] I Periodic evaluation interval configured for every 86400 seconds
2022-01-08T10:03:33.095Z [ 5836: 7052] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\FIM\Incoming
2022-01-08T10:03:33.096Z [ 5836: 7040] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\APPWL\Incoming
2022-01-08T10:03:33.096Z [ 5836: 7044] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\EDR\Incoming
2022-01-08T10:03:33.097Z [ 5836: 7060] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\ForensicSnapshot\Incoming
2022-01-08T10:03:33.097Z [ 5836: 7064] I Starting Channel monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\RCA\Incoming
2022-01-08T10:03:33.098Z [ 5836: 7068] I Starting directory change monitor for: C:\ProgramData\Sophos\Management Communications System\Endpoint\Channels\LiveQueryScheduled\Incoming
2022-01-08T10:03:33.100Z [ 5836: 6456] I The Windows event log has been initialized.
2022-01-08T10:03:33.575Z [ 5836: 6456] I Device ID: 4b500259-127a-xxxxxxxxx-aab5-xxxxxxxxxxx
2022-01-08T10:03:33.575Z [ 5836: 6456] I Tenant ID: f2783ff7-0c37-xxxxxxxxx-9d34-xxxxxxxxxxxxx
2022-01-08T10:03:33.575Z [ 5836: 6456] I Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT LIVEQUERY LIVETERMINAL MDR NTP SAV SDU WEBCNTRL XPD
2022-01-08T10:03:33.575Z [ 5836: 6456] I Authentication token expires at 2022-01-09T07:57:52Z
2022-01-08T10:03:33.580Z [ 5836: 6456] I The configuration has changed. Reloading settings.
2022-01-08T10:03:33.606Z [ 5836: 7776] I service tamper protection enabled
2022-01-08T10:03:34.188Z [ 5836: 7772] I [connect] trying server https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep
2022-01-08T10:03:34.188Z [ 5836: 7772] I [connect] trying direct connection without a proxy
2022-01-08T10:03:34.188Z [ 5836: 7772] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep
2022-01-08T10:03:34.647Z [ 5836: 7772] I 200 : sent=0 rcvd=168 elapsed=459ms
2022-01-08T10:03:34.648Z [ 5836: 7772] I [connect] using server https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/management/ep without a proxy (peer address 52.28.79.68)
2022-01-08T10:03:34.649Z [ 5836: 7772] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/flags/endpoint/b4052095-21a7-xxxx-aa5b-xxxxxxxxxx
2022-01-08T10:03:34.944Z [ 5836: 7772] I 200 : sent=0 rcvd=1583 elapsed=295ms
2022-01-08T10:03:34.945Z [ 5836: 7772] I Saved the Central flags
2022-01-08T10:03:34.948Z [ 5836: 7772] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxx-aa5b-xxxxxxxxxx
2022-01-08T10:03:34.981Z [ 5836: 7772] I 200 : sent=0 rcvd=140 elapsed=32ms

  • 0 in reply to LHerzog

    Do you have a Support case open for this? As far as i can see: Central did not push / render the HBT policy. Therefore the client did not get the policy with the applied certificate. If this worked after some time, the rendering was repaired by Central itself. 

    Sophos Support will have access to the Logs of Central and the rendering of the policy. 

  • 0 in reply to LuCar Toni

    thanks for that additional information. may I ask you to add that reference to the central logs to case 04793577  so the tech working on it can check the central logs before they expire?

  • 0 in reply to LHerzog

    ist that the point where MCS Client receives the new Heartbeat Policy on Jan 10th? It looks like to me:

    	Line 4982: 2022-01-10T08:02:08.449Z [ 5476: 7324] I Features: APPCNTRL AV CLEAN CORE DLP DVCCNTRL EFW HBT LIVEQUERY LIVETERMINAL MDR NTP SAV SDU WEBCNTRL XPD
	Line 4987: 2022-01-10T08:02:08.558Z [ 5476: 7324] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/commands/applications/ALC;AMSI;CORC;CORE;EFW;HBT;HMPA;LiveQuery;LiveTerminal;MCS;MDR;NTP;SAV;SDU;SEA;SHS;SWC;UI;APPSPROXY/endpoint/b4052095-21a7-xxxx-aa5b-xxxxxxx3be1
	Line 4995: 2022-01-10T08:02:08.801Z [ 5476: 7324] I Received policy fragment for adapter HBT, with type 27
	Line 4996: 2022-01-10T08:02:08.817Z [ 5476: 7324] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/policy/fragment/application/HBT/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb4cf7b26d12b14d5664bf
	Line 4999: 2022-01-10T08:02:08.956Z [ 5476: 7324] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/policy/fragment/application/HBT/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx69c1b367e294080e7c3cb5a
	Line 5001: 2022-01-10T08:02:09.065Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0001-policy-HBT27.xml
	Line 5001: 2022-01-10T08:02:09.065Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0001-policy-HBT27.xml
	Line 5004: 2022-01-10T08:02:09.132Z [ 5476: 7324] I Received policy fragment for adapter HBT, with type 27
	Line 5005: 2022-01-10T08:02:09.145Z [ 5476: 7324] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/policy/fragment/application/HBT/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx98de246ec1f392c0c639ff4
	Line 5007: 2022-01-10T08:02:09.291Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0002-policy-HBT27.xml
	Line 5007: 2022-01-10T08:02:09.291Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0002-policy-HBT27.xml
	Line 5010: 2022-01-10T08:02:09.374Z [ 5476: 7324] I Received policy fragment for adapter HBT, with type 27
	Line 5011: 2022-01-10T08:02:09.389Z [ 5476: 7324] I GET https://mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com:443/sophos/management/ep/policy/fragment/application/HBT/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx50aa56b26f446edc1ef760
	Line 5013: 2022-01-10T08:02:09.507Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0003-policy-HBT27.xml
	Line 5013: 2022-01-10T08:02:09.507Z [ 5476: 7324] I HBT27 policy queued -> 20220110080209-0003-policy-HBT27.xml
	Line 5051: 2022-01-10T08:02:10.533Z [ 5476: 7324] I HBT status processed <- 20220110080209-0019-status-HBT.xml
	Line 5051: 2022-01-10T08:02:10.533Z [ 5476: 7324] I HBT status processed <- 20220110080209-0019-status-HBT.xml

    The HBT Config Status file is:

    <?xml version="1.0"?>
<statusCache>
    <cacheTime>2022-01-10T08:02:10.427328Z</cacheTime>
    <status><?xml version="1.1" encoding="UTF-8"?><StatusAndConfig><status><?xml version='1.0' encoding='UTF-8'?><status version="1.15.783.0"><CompRes Res='Same' RevID='3658192e804f6a6xxxxxxxxxxxxxxe4808e2bb6f5bb073' policyType='27'/></status></status><config></config></StatusAndConfig></status>
</statusCache>

    And the HBT 27 Policy  ProgramData\Sophos\Management Communications System\Endpoint\Cache\HBT27.policy contains all the certificates and has date: 2022.01.10  09:02  (CET)

    <?xml version="1.0"?>
<policy RevID="3658192e804f6a6xxxxxxxxxxxxxxe4808e2bb6f5bb073" policyType="27">
  <destination address="52.5.76.173" port="8347"/>
  <addresslist/>
  <enabled>true</enabled>
  <ztnaEnabled>false</ztnaEnabled>
  <renewalparams triggerDaysBefore="90" switchDaysAfter="4"/>
  <epcert fingerprint="M9n3Tv/xxxxxxxxxxx=">-----BEGIN CERTIFICATE-----
  
  certs following below...

  • 0 in reply to LHerzog

    Yes - Its the Policy (with the certificate). 

  • 0

    Port Editing Issues with MR2.  After changing 2 separate firewalls to MR-2-Build380 from MR1-1-1-Build365, any form of Interface editing is not allowed.  It give an error "This is a system-reserved interface name".  This occurs with any attempt to save any change of Name, Zone or IP even on an unused interface.

    After some iterative testing, I found that the string "Port" in the name is part of the problem.  Although interfaces have ""Port" there by default, if it's still there on a save it gives that error now.  If the name is changed from say "Port1" to "P1" it saves fine.