This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS issues with Web protection Policy

Hello,

i have an big problem at a customer site.

We switched from UTM to Sophos XGS. We have configured STAS. There is a rule for Internet HTTP/HTTPS access. The rule is open for everyone.

I have configured a Web protection Policy. On top everybody can access defined sites. after that there is a rule with defined AD Groups that can access all sites.

The issue now is that some users are randomly logged out an can not access the sites. We noticed in the morning that a user is logged out several times on firewall for about 30 minutes and than after that point it was stable. The time range is always an other.

I checked the WMI connectivity from STAS the client ips the users with the issue connects from. Everything works.

I dont know from there the problem comes.

I also opened a ticket, but i hope someone can give me a hint where problem maybe comes from.

Thanks in advance

Andreas

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 2 years ago

You should disable the Logoff detection in the firewall and disable the STAS quarantine in SFOS.

Then check, if the GPO is pushed out like here: https://support.sophos.com/support/s/article/KB-000035623?language=en_US

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

I found this in best pratice. Is it recommended to this so?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Technik Technik1 over 2 years ago in reply to LuCar Toni

I found this in best pratice. Is it recommended to this so?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 2 years ago in reply to Technik Technik1

Disable the Inactivity detection on the firewall - Leave it on in STAS.

Set the restriction on probe to NO on the firewall.

Check the GPO as described above.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

Ok. this is how i have configured it at the customer site.

I tested with an pc which has the issue. The WMI Check from the support article was successful.

I then checked the Logs on the STAS.

Following happend:

the user was logged in an this came in log from stas:

DEBUG [0x1090] 15.12.2022 10:25:44 : userdb_handle_duplicate_userinfo: userinfo matched

DEBUG [0x1090] 15.12.2022 10:25:44 : userdb_insert_userinfo: matching userinfo found

So everything seems ok.

Then later came this on the same Workstation IP

MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: UserName: ADMINISTRATOR

MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: DomainName: domain

MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: IPv6 WorkstationIP: :

MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: IPv4 WorkstationIP: x.x.x.x

DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='x.x.x.x';

DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: User 'domain.local\user1' found on 'x.x.x.x'

DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: userinfo not matched

MSG [0x1090] 15.12.2022 11:28:03 : wrkstpoll_handle_logoff_req: Request received from Logoff Detector

The customer says that no Login from Administrator was made. Is it possible that a monitoring software or something like this authenticates against the PC and then STAS uses this user as logged in user?

Should i set an exclusion for this kind of users (service users) ?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Technik Technik1

Likely you should disable service users in STAS to avoid such login monitoring.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

So it's likely that this is the problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

Just another question. Multiple Logins with same user on different Workstations is a problem?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Technik Technik1

STAS will only reflect the recent Login and replace those. WMI will only offer one Login, so the recent login is verified and if this does not match with the current user, it will be logged off.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

Ok. Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Technik Technik1 over 2 years ago in reply to LuCar Toni

Sorry i have just another question. There are 2 Domaincontrollers. I have installed on both the STAS Suite and not on one only the agent. Is this ok so or is it neccessary to install only on one Domaincontroller the Suite and on the other only STAS Agent?
Cancel
Vote Up 0 Vote Down

Cancel