Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 66215 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why clientless users cannot be reactivated after disconnection ?

Slawski

I tried to cut off network traffic generated by clientless user and clicked "Disconnect". The client was disconnected and no longer was able to use the Policy but... I was not able to reactive that client. Changing status to off and again to on did not help. Clientless "user" had been in Disconnected state until firwall reboot.

Is it a bug or feature ?



This thread was automatically locked due to age.
Parents
  • 0

    Slawski,

    I noticed this behavior too since beta 5.

    In my case the clientless users will reappear when it gets the ip from XG dhcp server scope.

    I did not test the behavior with a device with static ip but clientless feature is still a bit confusing.

    On v15 each day the XG was reconnecting all the clientless users everyday automatically (there is a my question on it) but now something changed.

    We expect more info from Sachin or Prateek.

  • 0 in reply to lferrara

    Hi All,

    XG does the accounting of Clientless user daily before midnight 12:00 AM. I also tested this on my device and I was able to reenable the user easily; on version v15 MR3.

    Try restarting the tomcat service in XG and verify if the clientless user gets activated.

    Thanks

  • 0 in reply to sachingurung

    I don't agree. You don't need a clientless user just to provide a device access to the Internet (or generally use a policy). You can do it without user identification at all - just configure Network rules for all of those devices.

    Clientless user adds the ability to track that specific device network usage but does not require it to authenticate. So, a request (or rather an idea) to detect device activity and track it is not unreasonable in my opinion.

  • 0 in reply to Slawski

    Hi Slawski,

    I am starting to agree with your view over this. Great answer. Please post any further reporting suggestions on the thread Luk started separately.

    Thanks

  • 0 in reply to sachingurung

    Sachingurung,

    do you have any update on this behaviour?

    Thanks

  • 0 in reply to Slawski

    Hi Slawski, Luk

    I have tested this in my local lab. I agree to your view about not creating a clientless user just to provide a device access to Internet. But I also believe that I would want to apply all the policies of the live user on the clientless user by not creating another firewall rule. 

    P.S. a clientless user is a live user and its traffic would traverse through the same rule as all other users. For an example, if I create a clientless user for an IP phone, its traffic would pass through the same policies as does my user policies, therefore if any user uses the IP phone computer jack to bridge it to their PC, they would still go through the same policy. Also, if your IP phone is smart with a built-in, you may end up with two different policies and user may access blocked content on the phone browser :)

    When you create/add a clientless user to the device, the device will put that user into the live users list (authenticated by default).

    When you disconnect the clientless user from the live users list, you are explicitly deleting the live user from the list. The only cases I can think of when you want to disconnect the clientless user is when you want to stop providing Internet access to a particular device/IP, or the device no longer exists in your network. 

    Instead of explicitly disconnecting the device, you can 

    1. Delete the device from the clientless users list

    2. toggle status (Active/Inactive)

    P.S. there is no need of a reboot when you toggle status from inactive to active, the clientless user would again appear back in the live users list. (I tested this on my lab on XGv16), please see the screensnaps below

    Hope that helps.

    Regards,

  • 0 in reply to varunparikh

    Thank Varun,

    I tested it and it works. In this way we can disconnect a live users form processing traffic and enable it when it is needed.

    A disconnected status (even with the time inside the Clientless TAB) will help Admins to understand if the clientless user has been disconnected and who did it.

    Searching in the log can be done but for the moment logs go away when XG reboots.

    I like this approach, anyway!

    Thanks

  • 0 in reply to varunparikh

    varunparikh said:

     

    1. Delete the device from the clientless users list

    2. toggle status (Active/Inactive)

     

    Point 1 doesn't make any sense. Why would you delete a user that you want to temporarily disconnect? Just to recreate them again to give them access later on and create extra work for yourself?

    Point 2 makes sense and it has always worked correctly for me even when I disconnect a clientless user as I can change status and make a user inactive and active again to bring the user back online. However I think the feature is not working as expected for  and he has to reboot the firewall for it to work. So his point still stands, why have you guys added the disconnect button if you want us to then go back and change the user status to inactive? 

    In addition, there could be countless reasons to disconnect a user and not just that you want to delete them permanently but that is not the point of this discussion.

  • 0 in reply to Billybob

    Hello billy

    The disconnect button is not just only for clientless users, it can be used for all user types.

    I agree there are countless reason to disconnect a user.

    Regards,

  • 0 in reply to lferrara

    The log viewer is on the cache, so it goes away with the reboot. 

    But you can find these logs in the reports -> Events. 

    Regards,

  • 0 in reply to Billybob

    Bill,

    I think that the disconnect button makes sense...let me give an example, you are running out of bandwidth, so the first thing you do is to use Connection list or Flow Monitor (Sophos we need this back) and see who is consuming this bandwidth. In one place you have all the users and devices so a Disconnect button makes sense,otherwise you have to type down the most consuming users on a notepad and go to Authentication > Users/Clientless users and change the status.

    Also this is time consuming and you do not have the real situation (gap exists between the time you look at the Connection list and time to change the status).

    What I am complaining is that Sophos did not explain the clientless behaviour in any documentation if they are disconnected, when they are reconnected again?

    On v15, everyday, if you have disconnected a clientless user is disconnected, they are automatically authenticated after 24 hours.

    On v16, if you disconnect a clientless user, this user is disconnected forever. If you reboot XG, all clientless are automatically authenticated.

    I like the behaviour on v16, but without the Varun answer, we did not know how to reconnect them.

    Sophos has to pay attention on that! There are some threads on Clientless users and live users because no one has explained or written inside the documentation.

    Look at the online doc:

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FLiveUserManage.html%23

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FClientLessUserManage.html

    So Sophos please make sure to integrate this behaviour inside the documentation into next build/release.

    Thanks

Reply
  • 0 in reply to Billybob

    Bill,

    I think that the disconnect button makes sense...let me give an example, you are running out of bandwidth, so the first thing you do is to use Connection list or Flow Monitor (Sophos we need this back) and see who is consuming this bandwidth. In one place you have all the users and devices so a Disconnect button makes sense,otherwise you have to type down the most consuming users on a notepad and go to Authentication > Users/Clientless users and change the status.

    Also this is time consuming and you do not have the real situation (gap exists between the time you look at the Connection list and time to change the status).

    What I am complaining is that Sophos did not explain the clientless behaviour in any documentation if they are disconnected, when they are reconnected again?

    On v15, everyday, if you have disconnected a clientless user is disconnected, they are automatically authenticated after 24 hours.

    On v16, if you disconnect a clientless user, this user is disconnected forever. If you reboot XG, all clientless are automatically authenticated.

    I like the behaviour on v16, but without the Varun answer, we did not know how to reconnect them.

    Sophos has to pay attention on that! There are some threads on Clientless users and live users because no one has explained or written inside the documentation.

    Look at the online doc:

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FLiveUserManage.html%23

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FClientLessUserManage.html

    So Sophos please make sure to integrate this behaviour inside the documentation into next build/release.

    Thanks

Children
No Data