Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 66239 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why clientless users cannot be reactivated after disconnection ?

Slawski

I tried to cut off network traffic generated by clientless user and clicked "Disconnect". The client was disconnected and no longer was able to use the Policy but... I was not able to reactive that client. Changing status to off and again to on did not help. Clientless "user" had been in Disconnected state until firwall reboot.

Is it a bug or feature ?



This thread was automatically locked due to age.
  • 0 in reply to Billybob

    Bill,

    I think that the disconnect button makes sense...let me give an example, you are running out of bandwidth, so the first thing you do is to use Connection list or Flow Monitor (Sophos we need this back) and see who is consuming this bandwidth. In one place you have all the users and devices so a Disconnect button makes sense,otherwise you have to type down the most consuming users on a notepad and go to Authentication > Users/Clientless users and change the status.

    Also this is time consuming and you do not have the real situation (gap exists between the time you look at the Connection list and time to change the status).

    What I am complaining is that Sophos did not explain the clientless behaviour in any documentation if they are disconnected, when they are reconnected again?

    On v15, everyday, if you have disconnected a clientless user is disconnected, they are automatically authenticated after 24 hours.

    On v16, if you disconnect a clientless user, this user is disconnected forever. If you reboot XG, all clientless are automatically authenticated.

    I like the behaviour on v16, but without the Varun answer, we did not know how to reconnect them.

    Sophos has to pay attention on that! There are some threads on Clientless users and live users because no one has explained or written inside the documentation.

    Look at the online doc:

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FLiveUserManage.html%23

    http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FClientLessUserManage.html

    So Sophos please make sure to integrate this behaviour inside the documentation into next build/release.

    Thanks

  • 0 in reply to varunparikh

    Thanks for the answer, but you haven't addressed the main issue. In the current development state "disconnect" button is virtually useless because you don't have any means of reverting its action and you can do everything you need without that button.

    If you want to disable the user - change its status - that's ok. If you want to delete the user completely - then go and delete it. But what function has "Disconnect" button which is not in the previous ones ?

    In my opinion the current behaviour is just a bug. It was supposed to work on "Live Users" - we are talking about Current Activity -> Live Users view. We can "disconnect" normal users and they may reconnect, but somebody has forgotten that "clientless users" are not able to log in again. In v15 - it worked as it should. Disconnect is a disconnect and the clientless user will reappear after midnight (or 24h - I don't rememeber). But in V16 it is badly broken.

    On the other hand, if you want to compare clientless and normal users, please have a look at their properties. There are lots of things you can't set for Clientless and you can for normal user. I think clientless users should function exactly the same way as normal and the only difference should be that firewall "authenticates" them just by IP used.

  • 0 in reply to Slawski

    I stopped using v15 very early so apologies for not understanding the the exact differences. I get exaclty what  is saying now. The disconnect button for clientless user is a permanent action in v16. In v15 the clientless users came back and reconnected after 24 hrs (midnight) without any further interaction from the firewall admin. So disconnection was like a temporary ban till midnight in v15. 

    In v16 disconnect is functioning like disable button for clientless users, they will not reconnect unless the firewall is rebooted. I agree that this is a bug and needs to go back to v15 behavior. Otherwise the disconnect button in clientless users case is functionally identical to disable button.

    I also agree about the intentionally handicapped functionality of clientless users. There should be absolutely no difference between clientless and regular users other than the way that they authenticate.

    Regards

    Bill

  • 0 in reply to lferrara

    Sophos XG SFOS 16.05.7 MR-7

    Still have the same issue with clientless users. They will not re-activate until the firewall is rebooted, a really impractical way to operate.

    Business is active during the day. Clientless user deactivated in the morning. Why must i wait until after hours to re-enable that clientless user? Can only restart the firewall when the business is closed causing me to have to work late.