Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

IP reputation stopped

dear members

it is some time that my XG firewall shows the " Services " button in yellow color with an exclamation mark. will you please help me fixing the prob(screenshot is attached).

  • Hi,

    have you tried restarting your XG?

    Ian

  • In reply to rfcat_vk:

    thanks, it helped me...

  • In reply to rfcat_vk:

    Many of my customers are presenting this situation. Is there a known problem with this service that has caused the service to stop working on all the devices at once?

  • In reply to lvillarreal:

    Hi,

    I would raise a support case if you have many devices with this issue. Though it does sound like a configuration issue.

    Ian

  • In reply to rfcat_vk:

    I too have seen quite a few client devices with the same issue today 

    Reboot does sort it - but not sure why it came up in the first place.

    Will lodge a case with support.

  • In reply to rfcat_vk:

    Hi,

     

    all of my customers has the same issue! Is clear that is not related of a single machine but all of the XGs!

    is there any chance to solve this problem without reboot all XGs??

    That's quite serious and would be helpful if sophos take care of it!!

     

    Thank you

  • Hello,

    same thing here...

    i was thinking that MR12 was stable, but it seems not !

  • In reply to guillaume bottollier:

    [Updated - 6/4/2020]

    Hi All,

    The services (ctasd and ctipd specifically, which are used for email filtering only) were not disabled due to a security incident or risk.

    On some firewalls, the anti-spam service was started & running even when email filtering was not in use - which consumed unnecessary resources.

    This behavior was recently corrected and the service is now disabled when it’s not needed. The next MR release will fix the erroneous UI alert on the Control center dashboard. In the meantime, a device reboot will also clear this incorrect UI alert.

     

    Regards,

  • In reply to FloSupport:

    Do you mean this service were disabled by Sophos without inform anybody because it could be another security breach? 

  • In reply to FloSupport:

    Can you please point us to the KB that shows this?

    Also - why does the Services icon show orange on the front panel?  I've trained my team to know that his is a concern and to raise a ticket internally when they see it.  Now we can't use that as an indicator of trouble if you have indeed decided to make this change.

    What about MR13 (if there is one) why not make the changes in that?

  • In reply to FloSupport:

    furthermore... if this is an expected action then why does a reboot clear it?

  • In reply to FloSupport:

    Update on this, I'm following up with internally with the product team to provide more information.

     

    Regards,

  • I am seeing this too.

     

    I am curious, from what I have read here https://community.sophos.com/kb/en-us/123119#:~:text=IP%20Reputation%20is%20a%20global,in%20the%20spam%2Fsecurity%20policies.

     

    This service is for email IP address verification against your (sophos) database.  Does the service complete any other actions?  And or can we disable the system from shutting off services to save on resources until a fix can be pushed out?

    I also agree that if this is disabled by the firewall to save on resources than it should not flag an alert.  This is something I would think any software tester would catch when making the change before going public with it.

    Finally what other services does this service within the firewall have the ability to disable?  What if that were to become a vulnerability?

  • In reply to Badrobot:

    Hi  

    Please see my updated answer above.

  • In reply to FloSupport:

    Thanks for the clarification.  Will this make it into a KB?

    Also - can you please advise how firewalls that have been running fine suddenly displayed this alert.  Did Sophos issue a hotfix to stop the services? If so - what hotfix?

    It feels a little concerning that this has happened without any notice or advice from Sophos, and I'm trying to ensure my techs know what is good and what is not.  Without notification it makes it very hard to do so.