SFM - I built one

My SFM cannot see my XG even thought the test conenction is successful. I have the XG registered in my DYDNS account and this is shown as being conected and up todate.

The SFM runs as a VM client behind a UTM.

Last registered date is the 14th of march 2016, today being the 20th Mar 2016.

What has happened since

1/. the XG was restarted

2/. UTM was upgraded to 9.400-9

3/. the UTM was restarted a number of times while trying to resolve an issue with the AP10.

Any ideas as to how to make the SFM see the XG?

• SFM device page (System Management --> Device Settings --> Managed Device --> Devices)  screenshot
• XG device Central management page (System --> Administration--> Central Management) screenshot
• XG  Admin Console HTTPS Port value (System --> Administration --> Setting Page)  ____  ?
• XG device Serial Number _____?
  

Regards,

Ravi

serial number:-  c01001jpjvgf667

Hi Ian,

Can you elaborate more on your issue? Are you not able to add XG device in SFM ?

Regards,

Ravi

Hi Ravi,

I have added the XG to the SFM, but it is disconnected.

The XG is registered in dydns.

.2656.sfm-1.tiff

Itt was connected long enough to download the configuration.

Also other issues

1/. I do not receive any notifications from the SFM even though the test connection is successful.

2/. does not appear to be able to handle the UTM acting as a relay agent. I think that is a request for the XG as well.

3/. even though you disable port 80 access using the system settings -> administration -> device access you are still not able to remove port 80, system settings -> administration -> settings. You can change the value of the port then you receive a warning to change the settings in the devices as well.This implies that something in the SFM is still iistening on that port, not very secure.

I have added a NAT rule to my UTM 9.4 to allow the heartbeat port 6514 to be directed to the SFM. I am not sure how often a heartbeat is sent, but so far at least 30 minutes no update of status.

Another little issue, is how do you name the SFM?

Looking at the XG logs I see many failed to send heartbeat the sfm as well as failed updates reports. I have turned off sfm will send updates until I fix this communication issue.

I think I must be missing a setting in the XG that allows the heartbeat to be sent? Do I need a specific allow outgoing heartbeat policy from the XG?

Hi Ian,

User do not have to do any setting in the XG for heartbeat to be send.User have to just add SFM IP in Central Management page of XG and heartbeat communication start between SFM and XG.Heartbeat is sent every 1 minute from XG to SFM.

Please go to advance shell of XG and check tcpdump for port 6514 using below command and check the connection was successful or not.

tcpdump -n port 6514

Please provide below detail to check issue further.

SFM device page (System Management --> Device Settings --> Managed Device --> Devices)  screen-shot
XG device Central management page (System --> Administration--> Central Management) screen-shot
XG Admin Console HTTPS Port value (System --> Administration --> Setting Page) ____  ?
SFM test connection page screen-shot (System Management --> Device Settings --> Managed Devices --> Devices)

Regards,

Ravi

I will try again for the 4th time to attach the reqested information This site is so difficult to do simple things like add files.

I have added 1 file, which does not show. Some of us do not use word or MS products. Now two files, but nothing shows.

Now 3 files and still none show. Now 2 more files and still nothing shows.

Hi Ravi,

another attempt to load the information you requested.

http://www.pbase.com/edit_gallery/ianm_au/xgstuff

Hi Ravi,

not sure why I have another page.

www.pbase.com/.../xgstuff

Hi Ravi,

not sure why I have another page.

www.pbase.com/.../xgstuff

Hi Ian,

From the  screenshot of SFM and XG ,we are able to derive that configuration part is correct.

As per tcpdump screenshot of XG, there is communication issue between XG device and SFM. Packets from XG is getting out from XG but packets are not coming from SFM side to XG device.

Please check NAT rule of UTM 9 device for 6514 port.Have you configure the NAT rule in UTM  with Full NAT option (Source + Destination) ?

Ravi

After the upgrade completed I am still receiving failed to send messages in the log?

what is required to make this work?

Hi Ravi,

I have been working interstate, that is why the response is a little delayed.

I didn't setup a full NAT on the UTM 9.4. I treated this the same way as I treat the SUM access using specific ports. I will change the SFM nat and advise the results.

Hi Ravi,

I have changed the NAT to a full src/dest NAT. Now the UTM 9.4 shows white log lines of SyN packets only. The SFM does not show the XG.

Please advise further.

Hi Ian,

Please generate ticket in Sophos support by emailing your issue at support@sophos.com to troubleshoot issue further.

Ravi

Hi Ravi,

thank you for the suggestion, but as home user I am not allowed to do that.

2500.Port Communication.docx

Hi Ian,

I am sending you document of  port communication required between XG and SFM when XG is behind NAT.Hope it will help you.

Ravi

Hi Ravi,

thank you for the document. Too late to try it out to night, so will try tomorrow night.

Hi Ravi,

the XG interfaces the internet directly. The packets are arriving at the UTM 9.4 and being translated by the NAT rule and show as white.  There aren't any logs about the SFM in the SFM to assist with the debugging. There are logs about the devices being monitored which are of not much use when debugging SFM connections. The SFM can test access to the XG successfully.

I have tried using 443 and 6514 as the connection port, but neither worked.

Ian,

I do not know if SFM has tcpdump command, but I would like to know if you can share a TCPDUMP output from it and see what is happening!

Thanks.