Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
A number of our clients Cyberoam OS-based UTM's have multiple WAN uplinks, which are load balanced.
When we first setup the new Sophos iView v2 (to replace our Cyberoam iView), the devices registered against the appliance multiple times (once for each WAN IP). It seems that iView uses the WAN IP first to register, then once you tell it the hardware type (Cyberoam OS, UTM v9, XG) it then reads the serial number to identify the device.
As a by-product, we "named" and registered each of the occurences in iView, but after iView reads the serial number, it only shows ONE device in the registered devices page (which is what you'd expect).
However, in reports it still lists all the registered devices, even though the output is identical.
Is it possible to manually remove a registered device (considering it doesn't show up in the devices page), or can this bug be fixed where iView only displays reports for unique devices?
You can delete the devices from System --> Configuration --> Devices page.
In reply to RaviPatel:
I have already deleted them from there - however the device names continue to show in reports.
As discussed, the Sophos firewalls (Cyberoam OS and Sophos XG) have multiple WAN in load balanced mode, and it seems the iView/Syslog traffic is hitting our iView server from both IP addresses. As a by-product when we view reports, there's a report for each hostname we gave each IP.
In reply to DavidRudduck:
Sophos firewalls have multiple WAN in load balanced mode so iView detect both ip address, as some traffic is passing by ISP1 and some by ISP2. By product when you view reports there is a report for reach hostname. But reports are same for both hostname because report is for same appliance.
The hostnames are not the same.
When iView detects a new IP sending it Syslog data it requests a hostname. The hostname can not match any previous hostname. After you've told it what version of OS it's running, then and only then does it read the device serial number.
Not realising that iView doesn't bundle all data from the same host (by serial number as the unique identifier as opposed to IP address), I removed the redundant hosts from the device list, however they are still showing up. ie: client-coomera-link1 and client-coomera-link2. However as I've removed them, I can't rename them!
It would make more sense if iView bundled all data by host serial number, especially in the case that you might have a firewall on a dynamic IP address. Otherwise you'd end up with a new 'device' every time the IP address changes.
Almost a year later, switched to iView 3.01.1 and we still have the same issue, as iView likes IP addresses as UIDs rather than Serial Numbers.
Everytime a new version comes out I install this thing again hoping it'll one day become a useful tool but it all comes back to the same bad spot. As most of our customers have multiple uplinks and this is a common scenario all around, the product has absolutely 0 reliability as a data analysis tool.
I mean, you can set up multipath rules to deal with but if that individual uplink goes down you either stop receiving logs or end up with another new device to be registered (depending on the skip option in the multipath rule). You end up losing log entries in both ways; you cannot rely on a syslog tool that can't handle logs properly.
Need a failsafe method to purge duplicate registered devices from the system. I'm facing the same issue as most of the systems I work with uses Multi-WAN functionality.
Perhaps to make it clearer.. need a procedure to remove devices that get listed in the reports although they are nowhere to be found in the System & Monitor - Devices section even when you are logged in as a super admin.