Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 13 subscribers
  • Views 4885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Might be a dangerous failure in Central?

Gerd Rehders

Hi,

Could be a dangerous bug in Central......

On Monday, we pushed new notification settings to around 150 firewalls via Sophos Central.

Suddenly, the next day, we received notifications from a completely different firewall that is not managed via our Central account.
Research revealed that this firewall is licensed through a completely different company.

Sophos ticket number is 02223052.

The case must be clarified urgently, as long as logs can still be evaluated!

Regard Gerd



Added TAGs
[edited by: Raphael Alganes at 11:45 AM (GMT -8) on 14 Feb 2025]
[locked by: emmosophos at 9:38 PM (GMT -7) on 10 Apr 2025]
  • 0

    We are taking this situation very serious and are looking into it right now with multiple eyes. Please give us some time to evaluate and review certain aspects. 

    Thanks for reporting! 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      Thank you it seems to have been escalated very high.

      We have found exactly the relevant entries in the fwcm-updaterd.log of the “foreign” firewall that should not be there.........

      • 0 in reply to Gerd Rehders

        Hey Gerd, definitely keep us informed on this one in the community forum -- I'm a partner and have not seen this, but given the number of customers I manage I am keen to know what is going on.

        CTO, Convergent Information Security Solutions, LLC

        https://www.convergesecurity.com

        Sophos Platinum Partner

        --------------------------------------

        Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

        • 0 in reply to Gerd Rehders

          What exactly do you mean by fwcm-updaterd.log. This is a entry from the firewall (log) - How do you have an entry of this firewall, if it is not configured by you? 

          __________________________________________________________________________________________________________________

          • 0 in reply to LuCar Toni

            .... Because I got contact to the Administrator of the "foreign" Firewall

            A little bit old fashined, but sometimes Telephone isn´t bad ;-)

            • 0 in reply to Gerd Rehders

              Nice!  They tell me you can make phone calls on these Smart "Phones."  LOL.

              CTO, Convergent Information Security Solutions, LLC

              https://www.convergesecurity.com

              Sophos Platinum Partner

              --------------------------------------

              Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

              • 0 in reply to Gerd Rehders

                We try to contacted the firewall to debug this and see what was happening here. But did not receive the feedback yet. 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  Than I have been faster..... ;-)

                  • 0 in reply to Gerd Rehders

                    Do you are interested in sharing in the case the information you got? We are interested in the data you received. 

                    By now, we are also interested in the data from the customer, we tried to contact them this morning as well. 

                    __________________________________________________________________________________________________________________

                    • 0 in reply to LuCar Toni

                      I added the log detail in the Support Ticket number already.

                      Aou need any further informations?

                      I think we should share it via PM.

                      • 0 in reply to Gerd Rehders

                        The support case is the correct point to share the data. 

                        We are looking for the support access ID for this firewall as well. 

                        __________________________________________________________________________________________________________________

                        • 0 in reply to LuCar Toni

                          I know that Sophos asked for it, but this has to be clarified with the other company. I Think you have contact data....

                      • 0

                        Hello,

                        Just to update anyone following this thread, this is being investigated under NR-14944.

                        [UPDATE] 

                        The issue has been resolved and was due to a very uncommon race condition, preventive changes have been made to prevent this from happening again. No evidence was found that any other accounts were affected. 

                        Regards,

                         
                        Emmanuel (EmmoSophos)
                        Technical Team Lead, Global Community Support
                        Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
                        If a post solves your question use the 'Verify Answer' link.
                        Unfiltered HTML