NDR Essentials UI Data Synchronization Bug

Question

Issue Summary - With special thanks to ChatGPT for the excellent report format

NDR Essentials detection engine is functioning correctly and detecting threats, but there is a data synchronization bug preventing threat information from displaying consistently across the firewall's user interface components. 
 Environment Details 
 
 Firewall Model: XGS126 
 Firmware Version: SFOS 21.5.0 GA-Build171 
 Feature: NDR Essentials (new feature in SFOS 21.5) 
 License: Xstream Protection Bundle (confirmed active) 
 HA Configuration: Not applicable 
 Network Topology: Client &rarr; Switch &rarr; XGS LAN Port 
 
 Detailed Problem Description 
 After configuring NDR Essentials and running the official Sophos NDR test ( NdrEicarClient.exe --all ), the system exhibits inconsistent threat reporting across different interface components: 
 
 NDR Setup Page (Protect > Active threat response > NDR Essentials): Correctly shows 1 threat detected 
 Control Center Dashboard : Shows "NDR Monitored: 0" (incorrect) 
 Reports Section : Shows 0 threats found (incorrect) 
 Active Threat Response Logs : Shows no threat entries (incorrect) 
 
 Evidence of Backend Detection Success 
 CLI verification confirms NDR Essentials is working correctly at the detection engine level: 
 Command: cat /content/ndr/threatfeed.json 
 Output:

json 
 
 { 
 "threatfeed" : { 
 "name" : "NDR Essentials" , 
 "id" : "aaeaa6fc-9761-4fcf-9cc4-e933880c9a0b" , 
 "indicators" : [ 
 { 
 "type" : "domain-name" , 
 "value" : "plrqkxqwvmtkm.xyz" , 
 "__meta" : { 
 "threat_score" : "10" , 
 "expiry_timestamp" : 1750012975 , 
 "state" : "valid" , 
 "category" : "NDR/EPA_FriendlyChameleon" 
 } 
 } 
 ] , 
 "action" : "1" 
 } 
 }

This proves: 
 
 NDR detection engine successfully identified the test threat 
 Correctly assigned maximum threat score (10) 
 Proper threat categorization (NDR/EPA_FriendlyChameleon) 
 Valid IoC stored with appropriate expiry timestamp 
 
 Configuration Verification 
 
 Interface Selection: LAN interface properly configured for NDR monitoring 
 Threat Score Threshold: Set to "High risk (Score 9 and 10) - Recommended" 
 Logging: Active threat response logging enabled in System services > Log settings 
 FastPath: Firewall acceleration confirmed enabled 
 
 Steps to Reproduce 
 
 Configure NDR Essentials on XGS device with Xstream Protection Bundle license 
 Select LAN interface for monitoring 
 Run official Sophos NDR test: NdrEicarClient.exe --all 
 Wait 5-10 minutes for detection processing 
 Observe inconsistent reporting across UI components 
 
 Impact Assessment 
 
 Security Function: Working correctly (threats are being detected) 
 User Experience: Severely impacted (inconsistent/misleading UI data) 
 Customer Confidence: Affected (appears non-functional despite working backend) 
 Feature Adoption: Blocked (customers cannot verify functionality through UI)

LuCar Toni · Answer

That is expected. It is explained here: 
 
 Also here in the online help: 
 https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/ActiveThreatResponse/ConfigureFeeds/NDREssentials/index.html#time-to-live 
 It explicity tells you to run the commands twice. 
 The point here is: In the real world, there will not be "one connection to something and never again". It will be multiple connections all the time. The process is not picking up the first connection - Because to do so, we would need to delay packets etc (making something from monitoring to active response).

NDR Essentials UI Data Synchronization Bug

Environment Details

Detailed Problem Description

Evidence of Backend Detection Success

Configuration Verification

Steps to Reproduce

Impact Assessment

Top Replies