Central management disabled on XGS87

Question

Both of my XGS87 firewalls had central management events this morning, neither of which were caused by me. Nobody else has FW credentials, and I was not even at the office at the time of this event. 
 First firewall: "Disabled Management from Sophos Central for XG Firewall" 
 There is no corresponding event in the admin logs, however. 
 Second firewall: "A firewall has enabled Sophos Central management or reporting, and is awaiting approval to be managed." 
 Also not seeing anything in the admin/system logs to correlate this event. 
 Has this happened to anyone else?

emmosophos · Answer

Hello there,

Thank you for contacting the Sophos Community.

Can you share a screenshot of the Email you received?

And on the XG if the de-registration was made via the Firewall in the Admin Log Viewer you should have:

You could find more info under the following logs:

applog.log, centralmanagement.log, fwcm-eventd.log, fwcm-heartbeatd.log, fwcm-updaterd.log, csc.log

You should find this type of events:

==> applog.log <==
Mar 16 00:13:21Z opcode:poll_for_SSO SSOD Service Status: STOPPED SSO Status: disconnected
Mar 16 00:13:21Z opcode:poll_for_SSO Status - SSO status is DISCONNECTED .....
Mar 16 00:13:21Z opcode:poll_for_SSO - firmwareupgrade flag Mar 16 00:13:21Z opcode:poll_for_SSO - backup flag
Mar 16 00:13:21Z opcode:poll_for_SSO - SSO poll success
Mar 16 00:13:21Z opcode:sophos_central_disable - in crdisable
Mar 16 00:13:21Z opcode:sophos_central_disable - after commit
Mar 16 00:13:21Z delete_syslog_server called.
Mar 16 00:13:21Z sophos_central_disable: Calling CM_disable_by_admin
Mar 16 00:13:21Z opcode:sophos_central_disable - Disabling Central Management

==> applog.log <==
Mar 16 00:13:22Z CM_disable_by_admin: Response code: 204
Mar 16 00:13:22Z opcode:sophos_central_disable - CM_disable - Stopped fwcm-heartbeatd
Mar 16 00:13:22Z opcode:sophos_central_disable - Stopped fwcm-updaterd
Mar 16 00:13:22Z opcode:sophos_central_disable - Stopped fwcm-eventd

==> fwcm-eventd.log <==
Mar 16 00:13:22.998Z *****************************
Mar 16 00:13:22.998Z fwcm-eventd stopped
Mar 16 00:13:22.998Z *****************************
Mar 16 00:13:22.998Z dbg Config reset done

==> fwcm-heartbeatd.log <==
Mar 16 00:13:22.997Z *****************************
Mar 16 00:13:22.997Z fwcm-heartbeatd stopped
Mar 16 00:13:22.997Z *****************************
Mar 16 00:13:22.997Z dbg Config reset done

==> fwcm-updaterd.log <==
Mar 16 00:13:22.997Z eme *****************************
Mar 16 00:13:22.997Z eme fwcm-updaterd stopped
Mar 16 00:13:22.997Z eme *****************************
Mar 16 00:13:22.997Z dbg PG DB Connection is closed

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.

Central management disabled on XGS87

Submitted a Tech Support Case lately from the Support Portal?