Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1010 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS and User logging not working as expected

Alex Harding1

Hi all,

Hoping someone can point me in the right direction.

I have enabled STAS on our Sophos XG.
I can see user showing on the STAS Agent on the server.

I have also added the server to the XG on the Auth List and connections pass without issue.
I have imported the Group "Domain Users" into the XG from the Connected Server.

Now my issue is when I set my Firewall rule to "match known Users" and select Domain users as the group no traffic flows via this rule, however, if I set the group to "ANY" traffic flows through it as expected.

How can I set this rule for domain users only?



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, we can see the users authenticated under the STAS live user list are authenticated with the logon type 3.
    Meaning when the Agent is running on a Member Server and NOT on the Domain Controller (DC), then the Logon Type is 3 instead of 2. This Logon Type 3 came with STAS v2.5 and above. Is the following rule created is on the top of all the FW rules ? Can you share the diagnostics > packet capture, when you have set it to "ANY" and when you have kept it "Domain User?" 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Sure, I will give it a go.
    Any filters in particular that I need to set?

    Yes User based rule is above the  non user based rule.
    These are the only two LAN to WAN rules I have. 

  • 0 in reply to Alex Harding1

    Monitor traffic using Packet Capture Utility : https://support.sophos.com/support/s/article/KB-000035761?language=en_US
    You can use the src client IP as the host to filter out the traffic flow ! !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Set to domain users

    Ethernet header
    Source MAC address:74:8*******
    Destination MAC address: 7c:5*******
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:10.2******
    Destination IP address:91.1******
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 40 Bytes
    Identification:38899
    Fragment offset:16384
    Time to live: 128
    Checksum: 64579

    TCP Header:
    Source port: 57568
    Destination port: 443
    Flags: ACK
    Sequence number: 249620782
    Acknowledgement number: 1008359775
    Window: 1026
    Checksum: 54549

    Set to ANY

    Ethernet header
    Source MAC address:74:8*******
    Destination MAC address: 7c:5*******
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:10.2*****
    Destination IP address:91.1*****
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 40 Bytes
    Identification:39059
    Fragment offset:16384
    Time to live: 128
    Checksum: 64419

    TCP Header:
    Source port: 57568
    Destination port: 443
    Flags: ACK
    Sequence number: 249620782
    Acknowledgement number: 1008940507
    Window: 1026
    Checksum: 63632

Reply
  • 0 in reply to Vivek Jagad

    Set to domain users

    Ethernet header
    Source MAC address:74:8*******
    Destination MAC address: 7c:5*******
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:10.2******
    Destination IP address:91.1******
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 40 Bytes
    Identification:38899
    Fragment offset:16384
    Time to live: 128
    Checksum: 64579

    TCP Header:
    Source port: 57568
    Destination port: 443
    Flags: ACK
    Sequence number: 249620782
    Acknowledgement number: 1008359775
    Window: 1026
    Checksum: 54549

    Set to ANY

    Ethernet header
    Source MAC address:74:8*******
    Destination MAC address: 7c:5*******
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:10.2*****
    Destination IP address:91.1*****
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 40 Bytes
    Identification:39059
    Fragment offset:16384
    Time to live: 128
    Checksum: 64419

    TCP Header:
    Source port: 57568
    Destination port: 443
    Flags: ACK
    Sequence number: 249620782
    Acknowledgement number: 1008940507
    Window: 1026
    Checksum: 63632

Children
Unfiltered HTML