Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client-less User Bulk add appears to corrupt entires

Perhaps someone else can test this process and see if you likewise get broken results.

Brief Background:

  • 12 year UTM reseller, giving a a second go at setting up an XG System for evaluation to see if 16.x is getting more viable.
  • Test system is in my test lab (aka the home network that controls our 5 children and their 40 odd devices with an XG125).

I decided the best way to setup this test was to do the following. (Yes it's overly complex but it's a test/learn experience)

  1. Supernet the LAN into 192.168.0.0/16 with each kid gets a 3rd octet to themselves. 192.168.10.0/24, 192.168.20.0/24 etc
  2. Each Kids devices are given a static ip with a dhcp reservation; a host ip object is created to match; and those are dropped into separate group per Kid.
  3. LAN policy unique per kid (the age range is vast); policy only traps traffic for the kid in questions ip host group, can also be by /24 subnet Still experimenting.
  4. Client-less users are created for each of the kids devices with matching ip and place into sperate groups clientless groups Kid1, Kid2...Kid5
  5. Policy is setup as Match known users by the Kid1 group that match the LAN for that Kid

So here os the weird part if I enter the kids devices 1 at a time into client-less networking if work perfectly. If I bulk at the client-less users they don't work. I've test this a ton of times now. Single added clientless users work perfectly; but bulk added ones don't match correctly. I've tried with individual users and with users in groups. Delete a user that not working and add them back exactly as they are and they instantly work.

The above works good to thwart overly smart kids; as all other IP address in the network go to a dhcp domain that has almost no surf privileges. Only a device on that has both a host enter, and matching user with the same ip can get access. Very hard for the kid to try and move the device manually to a more permissive ip address.



This thread was automatically locked due to age.