Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 1993 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS issues with Web protection Policy

Technik Technik1

Hello,

i have an big problem at a customer site. 

We switched from UTM to Sophos XGS. We have configured STAS. There is a rule for Internet HTTP/HTTPS access. The rule is open for everyone.

I have configured a Web protection Policy. On top everybody can access defined sites. after that there is a rule with defined AD Groups that can access all sites.

The issue now is that some users are randomly logged out an can not access the sites. We noticed in the morning that a user is logged out several times on firewall for about 30 minutes and than after that point it was stable. The time range is always an other.

I checked the WMI connectivity from STAS the client ips the users with the issue connects from. Everything works.

I dont know from there the problem comes.

I also opened a ticket, but i hope someone can give me a hint where problem maybe comes from.

Thanks in advance

Andreas



This thread was automatically locked due to age.
Parents
  • 0

    You should disable the Logoff detection in the firewall and disable the STAS quarantine in SFOS.

    Then check, if the GPO is pushed out like here: https://support.sophos.com/support/s/article/KB-000035623?language=en_US

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I found this in best pratice. Is it recommended to this so?

  • 0 in reply to Technik Technik1

    Disable the Inactivity detection on the firewall - Leave it on in STAS.

    Set the restriction on probe to NO on the firewall.

    Check the GPO as described above. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok. this is how i have configured it at the customer site.

    I tested with an pc which has the issue. The WMI Check from the support article was successful.

    I then checked the Logs on the STAS.

    Following happend:

    the user was logged in an this came in log from stas:

    DEBUG [0x1090] 15.12.2022 10:25:44 : userdb_handle_duplicate_userinfo: userinfo matched

    DEBUG [0x1090] 15.12.2022 10:25:44 : userdb_insert_userinfo: matching userinfo found

    So everything seems ok.

    Then later came this on the same Workstation IP

    MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: UserName: ADMINISTRATOR

    MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: DomainName: domain

    MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: IPv6 WorkstationIP: :

    MSG [0x10e8] 15.12.2022 11:28:03 : init_userinfo_kerberos: IPv4 WorkstationIP: x.x.x.x

    DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='x.x.x.x';

    DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: User 'domain.local\user1' found on 'x.x.x.x'

    DEBUG [0x1090] 15.12.2022 11:28:03 : userdb_handle_duplicate_userinfo: userinfo not matched

    MSG [0x1090] 15.12.2022 11:28:03 : wrkstpoll_handle_logoff_req: Request received from Logoff Detector

    The customer says that no Login from Administrator was made. Is it possible that a monitoring software or something like this authenticates against the PC and then STAS uses this user as logged in user?

    Should i set an exclusion for this kind of users (service users) ?

  • 0 in reply to Technik Technik1

    Likely you should disable service users in STAS to avoid such login monitoring. 

    __________________________________________________________________________________________________________________

Reply Children
Unfiltered HTML