After upgrading one XGS and XG from 18.5 MR3 to MR4 we have issues with our Sophos Central managed APX Accesspoints showing as offline in Central after between 30 and 60 minutes after the upgrade of the Firewall.
I identified the following issue:
The APs have a firewall rule allowing them to connect to Sophos Central Domains including HTTPS. No Webfiltering is enabled on the FW Rule.
They connect to wifi-cloudstation-eu-central-1.prod.hydra.sophos.com
In the firewall rule we have multiple Sophos Wildcard * DST FQDN.
The *prod.hydra.sophos.com FQDN Host we have already in the rule should match the destination IP but does not.
The * FQDN resolves correctly on XG/S:
But the traffic created by the APs does not hit the rule and drops at our drop+log rule.
We need to workaround and create a new FQDN host for wifi-cloudstation-eu-central-1.prod.hydra.sophos.com and add that to the same firewall rule and then it works. The new FQDN host resolves the same three IPs that are already resolved by the wildcard FQDN.
I can see the traffic in the TLS DPI log.
Edited TAGs
[edited by: Erick Jan at 2:52 AM (GMT -8) on 15 Nov 2022]
