Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 7 subscribers
  • Views 9498 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS Firewall with User on several machines(workstations)

PatricBlass

Hey, I've setuped the STAS on my DCs. User are Reported... works fine.

I have a firewall rule to allow "ssh" and "ping" to one special host. (source is "USER A" and "TESTUSER B")

The first workstation wich comes online, after the UTM restarts, with logged in USER A works fine.
When i login USER A to a second workstation (same LAN) it wont work!?
Even when i login another User (TESTUSER B) on the second Workstation, the firewall rule wont work.


Do you have some ideas?



This thread was automatically locked due to age.
Parents
  • 0

    After some investigation...

    now i am working on just one Workstation. When i login the first time (at the morning) the firewall rules seems to work. And later, when i come back and re-login to the workstation they doesnt (without login on another workstation).

    The corresponding Log: "Child 31902 is running too long. Terminating child" What does this mean?

    UTM is: 9.402-7

    I have two Domaincontrollers (Win 2008/win2012),both have the STAS-agent installed, and one of them is STAS-collector

    Some help? Thanks

Reply
  • 0

    After some investigation...

    now i am working on just one Workstation. When i login the first time (at the morning) the firewall rules seems to work. And later, when i come back and re-login to the workstation they doesnt (without login on another workstation).

    The corresponding Log: "Child 31902 is running too long. Terminating child" What does this mean?

    UTM is: 9.402-7

    I have two Domaincontrollers (Win 2008/win2012),both have the STAS-agent installed, and one of them is STAS-collector

    Some help? Thanks

Children
  • 0 in reply to PatricBlass

    it means there's a bug..contact your support contact and let them know.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to PatricBlass

    Hi,

    Do you have the GPO with audit: logon, logoff in place on both DC's?

    Can you see the user login on both STA Agents (See the log in STAS configurator).

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    Hallo twister,


    i've a group policy for my dc's to audit logon events like described in the pdf from sophos.

    and yes it looks like, i can see user from both dc's. but it seems, that some (my own user) are deleted from the UTM to fast. So i'am still loged in, and my entry is missing. when i lock my win10 and relogin, it works again...

  • 0 in reply to William Warren

    I'm getting the feeling that STAS isn't soup yet...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I agree there are some issues between the STAS agent and UTM, with users not showing as online and sometimes it just works!

    For now I have removed this checkmark in UTM:

    So I just can monitor the usernames in the webprotection log.

    I have setup simple in lab with just one DC and one UTM, still some users are shown as IP and some with AD name.

    The logs on STAS and UTM shows no direct error.

    I just think the product has to get the final layer of paint - It's still a great feature :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

  • 0 in reply to twister5800

    I've had to do the same ie untick "block access"

    I've got users showing on the UTM but when I look at the web filter logs, there's a lot of user="" even though I think there should be a name against it. I do get names in user="JoeBloggs" but there is far more user="" which makes me think that it's not logging what users are doing fully.

Cookie Information Banner