Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 625 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS107s behind XGS3100 can't be remoted using central

AstaroNBack

We have (3) XGS107 which offices use to connect to our hub.  At our hub we have XGS3100.  The XGS107's function as routers.

The XGS107 traffic must pass through the XGS3100, to get to Sophos Central.

We were able to access the XGS107's via central for remote control when installed in Aug until about a month ago. 

We can NO longer use central to remote connect to XGS107 GUI.  

I can access all XGS107 directly from within our private network via HTTPS GUI.

All of the XGS107 are Sync'd with central, they can obtain new policies / rules.

I've tried capturing packets on the XGS3100 to see if it is blocking, but no luck.  -- Ideas ?

Q:  IS there a LOG on the XGS107 that records central activity, specifically Central https admin access attempts?

which shows TimeDate, IP address of XGS107, port, Destination IP, port (central), etc?



This thread was automatically locked due to age.
  • 0

    Hi,

    can the xgs107 see the internet eg do the firmware updates happen?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Yes, I can login to gui console and DL firmware updates.  Current 19.5

  • 0 in reply to AstaroNBack

    What restrictions are placed on its internet access?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    See: docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    This device must pass through another upstream XG prior to getting to internet.  It will create a backup on demand from central, so I know it can communicate and send backup to central & via email.  I grabbed some logs, here are a snippits:

    SophosCentral.log

    SAME stuff for a few months previous

    2023-02-13 19:00:36Z INFO central-refresh[3887]:80 main:: - Refreshing access_token for Sophos Central
    2023-02-13 19:45:39Z INFO central-refresh[27951]:80 main:: - Refreshing access_token for Sophos Central
    2023-02-13 20:30:40Z INFO central-refresh[20625]:80 main:: - Refreshing access_token for Sophos Central

    CentralManagement.log

    2023-02-13 20:39:27Z INFO central-connect[25238]:221 main:: - Polling for SSO to PIC-URI [https://dzr-utm-amzn-us-west-2-fa88.upe.p.hmr.sophos.com]/sophos/api/v1/firewalls/X10108W2M8GTQD3/sshTunnel Timezone: America/Chicago
    2023-02-13 20:39:28Z INFO central-connect[25238]:271 main:: - got response of poll for SSO. Status: requested backupExpected:
    2023-02-13 20:40:00Z INFO central-connect[25589]:221 main:: - Polling for SSO to PIC-URI [https://dzr-utm-amzn-us-west-2-fa88.upe.p.hmr.sophos.com]/sophos/api/v1/firewalls/X10108W2M8GTQD3/sshTunnel Timezone: America/Chicago
    2023-02-13 20:40:00Z INFO central-connect[25589]:271 main:: - got response of poll for SSO. Status: requested backupExpected: REQUESTED
    2023-02-13 20:40:02Z INFO central-connect[25603]:286 main:: - Getting backup upload info from PIC-URI [https://dzr-utm-amzn-us-west-2-fa88.upe.p.hmr.sophos.com]

    CSC.log - Has a bunch of stuff, not sure if applicable or good idea to post here.

    NOT a word about not being able to "Talk" or making a connection to central for remote configuration.

  • 0 in reply to LuCar Toni

    I am comparing logs: Sophos FW is direct connectable from Central - applog.log

    You can see that it is getting a List of Sophos infrastructure IP's when I request firewall management / (remote config) from central.

    Feb 13 21:26:59Z opcode:poll_for_SSO - SSO poll success
    Feb 13 21:27:05Z manage_fqdn_ipset: Request for Subsystem ID: 674 of Type: 1 and Action: add.
    Feb 13 21:27:05Z Type: FQDN HOST IPSET entry add/updated Successfully.
    Feb 13 21:27:05Z manage_fqdn_ipset: Request for Subsystem ID: 674 of Type: 1 and Action: delete.
    Feb 13 21:27:05Z Type: FQDN HOST IPSET entry add/updated Successfully.
    Feb 13 21:27:05Z TLV output: 674,1,162.159.200.1,129.250.35.251,64.251.10.152,64.62.194.188,138.197.15.27,74.6.168.72,66.85.78.80,162.159.200.123,38.17.55.111,73.61.36.59,129.146.193.200,142.147.88.111,216.66.48.42,17.253.2.123,69.164.198.192,147.182.226.62,204.93.207.11,171.66.97.126,137.190.2.4,23.131.64.12,198.137.202.56,20.190.12.161,104.156.229.103,209.126.83.42,38.229.56.9,24.214.53.97,155.248.196.28,23.131.160.7,38.229.57.9,204.2.134.162,96.248.124.200,147.182.158.78,64.79.100.197,75.146.106.189,108.61.56.35,162.220.14.14,66.220.10.2,72.30.35.88,66.220.9.122,209.94.190.139,38.229.52.9,44.190.40.123,45.33.53.84,172.107.84.94,69.64.225.2,12.167.151.1,159.203.82.102,198.60.22.240,5.161.111.190,45.33.103.94,38.17.55.196,104.171.113.34,64.142.54.12,69.89.207.99,204.93.207.12,192.48.105.15,216.229.0.50,64.62.194.189,159.65.174.140,157.245.141.244,104.236.116.147,142.202.190.19,45.55.58.103,45.79.51.42,50.205.57.38,216.229.4.66,38.229.53.9,38.229.62.9,72.14.183.239,140.82.42.212,209.50.63.74,206.82.28.3,108.61.73.243,104.194.8.227,205.233.73.201
    Feb 13 21:27:10Z opcode:hbtrust_synchronize - starting

    This one is from a Sophos FW on our LAN, and works as a router, connecting one location to another on internal network.

    It doesn't ever get the FQDN HOST IPSET data from central.

    This device can send backups to central on demand so it has communication, and is in SYNC, NO remote config. -- Timesout

    The following is repeated in logs many times.....

    Feb 13 21:30:53Z heartbeat_ipset: sets restored
    Feb 13 21:30:53Z function:hbtrust_response - starting
    Feb 13 21:30:53Z function:hbtrust_response - returned with SUCCESS; hb_availability [ 1 ]; request->{cloud_hb_availability} [ 1 ]
    Feb 13 21:30:53Z function:hbtrust_response - successfully synchronized
    Feb 13 21:30:53Z function:hbtrust_response - call c_rehash on /conf/sysfiles/heartbeatd/ca-certificates
    Feb 13 21:30:53Z opcode:hbrust_synchronize - successful
    Feb 13 21:31:06Z appliance key is XXXXXXXXXXXXXXXXXX
    Feb 13 21:31:08Z opcode:poll_for_SSO SSOD Service Status: RUNNING SSO Status: requested
    Feb 13 21:31:08Z opcode:poll_for_SSO - firmwareupgrade flag Feb 13 21:31:08Z opcode:poll_for_SSO - backup flag
    Feb 13 21:31:08Z opcode:poll_for_SSO - SSO poll success
    Feb 13 21:31:21Z getpublickey success Key: XXXXXXXXXXXXXXXXXXXXXXXXXX
    Feb 13 21:31:39Z appliance key is XXXXXXXXXXXXXXXXX
    Feb 13 21:31:41Z opcode:poll_for_SSO SSOD Service Status: RUNNING SSO Status: requested
    Feb 13 21:31:41Z opcode:poll_for_SSO - firmwareupgrade flag Feb 13 21:31:41Z opcode:poll_for_SSO - backup flag
    Feb 13 21:31:41Z opcode:poll_for_SSO - SSO poll success

  • 0 in reply to AstaroNBack

    Logs compare 1 FW, which can be remote configured from central vs another which cannot....

  • 0 in reply to AstaroNBack

    Is SSH free for this firewall? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I can SSH from LAN.  I obtained logs that way.

  • 0 in reply to AstaroNBack

    I mean, can the firewall reach Central via Port 22 ? 
    Central uses 443 and 22 outbound. This means, SSH and 443 needs to be open. 

    __________________________________________________________________________________________________________________

Unfiltered HTML