Why this user or computer can access to internet ?!

Hello there,

Adding to what Erick mentioned, do a GUI Packet Capture using the IP of the computer in question, and confirm which Firewall Rule is being used.

Regards, 

Hello Erick Jan & Emmanuel

yes the main authentication is on AD

so, i will doing Packet capture to confirme witch FW rule is being used

i will be back !

okay

when i check logviewer and filter by src ip, 

I found that this ip is related to a domain user (x)!
normally no, there should be a conflict
and this PC that I am testing on it, I use user01 and it is a local windows account which opens a local session on the PC
the PC took an ip address, but my problem is that in logviewer, I found a domain user (x) with this ip address logged in !!?
what happens?

Hello Fotit,

This is because the XG/STAS associates an IP with a User when the user first logs in.

This should be able to be avoided by using STAC, or by accessing first to the computer, with the local user.

Regards,

Hello,

but that doesn't solve my original problem

it is abnormal that you take any pc joined or not to the domain and when you create a local user (lambda) on this PC and you connect it to the network, the user is authorized to go on the internet !!.
ok i know that a domain user when he connects, stas associates an ip to this user, but it is not an association until the end of life..
so this pc that took an ip by dhcp, and that the user that opened a session does not exist on the domain, it is connected to the internet through an existing association, there is a lack of reliability heaps
And I don't know how to approach this problem

did you manage to understand my context

Thank you

Hello,

it is very unusual in a corporate network context that you use a local user account when your pc is joined to a domain.

Why do you work like this? Is there a reason?

Hello,

it is very unusual in a corporate network context that you use a local user account when your pc is joined to a domain.

Why do you work like this? Is there a reason?

Hello,

it's simple,

sometimes you want to test the security and configuration of your network and see if the security configurations put in place are functional
in my case I tested this, and I found that a pc can go to the internet with a user who is not authenticated by the authentication mechanism in place
so it's to be seen again.

How does STAS pickup this user? Because STAS monitors the AD. So somehow the STAS picked up the Login Event of this particular machine. You could check the STAS log on the server, if you see the login event. 

when you see the operating logic of STAS, it is impossible for it to retrieve the event of a login from a local user who has opened a session
the stas log database must only contain authenticated connections on the AD and the associated ip
I'm new in this company and I'm not very comfortable with sophos firewalls yet.
it seems that the fw authorizes this pc to go on the internet on the basis of an ip which already exists in the STAS logs,and somehow it doesn't care about the user

Essentially there is a logoff detection in place as well. So if you login to a computer using your domain creds and STAS tracks this event, it will push the IP+Username to SFOS. 

After a while, STAS will try to call the client via WMI to check, if this user is still logged in, and if not, will remove it from STAS/SFOS. 

I cannot see, how this process should be used for an local user in any way beside the WMI request. STAS can also poll the information via WMI: https://support.sophos.com/support/s/article/KB-000035623?language=en_US#:~:text=Log%20in%20to%20your%20Active,Detection%20method%20as%20Workstation%20Polling.

Maybe this method is getting your username + ip mapping? 

when i say local user, i talk about user local on computer, not local user on sophos..

Yes, that is what i mean. You will fetch this information via WMI as well. You can try it with the command in WMI as shown above.