Sophos NDR "bootlooping"

Hi Thorben,

Thanks for reaching out to the Sophos Community Forum.  I've moved your post over to the NDR Community channel as it is a better fit for your question. 

I suggest checking the logs at "podLogs/cloud-agent-<container id>.txt ".  Let me know if there are any authentication errors present. 

You can also try verifying that the following protocols are not being blocked on the system/network.
- DHCP (if this was selected in Central when creating the VM) 
- NTP 
- DNS 
- HTTP 
- HTTPS 

Please also ensure that web filtering is not being performed on the following domains.
a. sophos.com
b. archive.ubuntu.com
c. ntp.ubuntu.com
d. baltocdn.com
e. sophossecops.jfrog.io
f. docker.io
g. amazon.com, amazonaws.com

Hello Kushal,

thanks for pointing me in the right direction. I checked the firewall rule for the outbound access of the NDR machine, turns out i hadn't allowed all the domains needed for Sophos Central connection, as per https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html

All of the domains (*.sophos.com and *.amazonaws.com) and Ports (80, 443) are now allowed for the NDR VM and it boots up normally again.

What i notice now is, that after starting up the NDR doesn't seem to capture any packets. It only does when i set the firewall rule to allow ports 80 and 443 to "any".

I tried logging the traffic that was running on that rule while access was limited to *.sophos.com and *.amazonaws.com, and i can see packets successfully going out to AWS servers and none getting blocked.

Are there any other FQDN ranges i have to allow, is it something with the NAT (i doubt it since traffic using "any" as a target should use the same rule). I want to narrow down the FW rule as much as possible.

Kind regards

Thorben

Update: it just started counting packets, about 10-15 minutes after bootup

Update 2: after rebooting again it immediately began counting packets, might the counter not growing just be a case of the counter initializing later?

Hello Kushal,

thanks for pointing me in the right direction. I checked the firewall rule for the outbound access of the NDR machine, turns out i hadn't allowed all the domains needed for Sophos Central connection, as per https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html

All of the domains (*.sophos.com and *.amazonaws.com) and Ports (80, 443) are now allowed for the NDR VM and it boots up normally again.

What i notice now is, that after starting up the NDR doesn't seem to capture any packets. It only does when i set the firewall rule to allow ports 80 and 443 to "any".

I tried logging the traffic that was running on that rule while access was limited to *.sophos.com and *.amazonaws.com, and i can see packets successfully going out to AWS servers and none getting blocked.

Are there any other FQDN ranges i have to allow, is it something with the NAT (i doubt it since traffic using "any" as a target should use the same rule). I want to narrow down the FW rule as much as possible.

Kind regards

Thorben

Update: it just started counting packets, about 10-15 minutes after bootup

Update 2: after rebooting again it immediately began counting packets, might the counter not growing just be a case of the counter initializing later?

I cannot say why this may have occurred, however, if you experience similar issues in the future, the following logfile may be of assistance. 
- podLogs/dragonfly-<container id>.txt 

This contains logs for the packet processing application on the VM. 

Where do i find these logs? There is no option to view system logs from the VA interface, nor an option to escape to the Ubuntu cli to look in /var/logs for example.