This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS dropping users?

Hi all

We are using STAS for authentication.

We have had to disable "match known users" from all fw rules, since XG apparently randomly drops usernames.

Below log show that user test@domain.net is logged on and everything will, until 09.41 when suddenly no username appears and fw rules would then deny access.

Time Log comp Action User name Firewall rule In interface Out interface Src IP Dst IP Src port Dst port Protocol Rule type
22-04-2020 09:46 Firewall Rule Allowed 34 Port4 Port1 10.81.235.117 10.81.234.120 55865 445 TCP 1
22-04-2020 09:45 Firewall Rule Allowed 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:44 Firewall Rule Denied 6 Port4 Port1 10.81.235.117 10.81.234.104 55867 445 TCP 1
22-04-2020 09:41 Firewall Rule Allowed 41 Port4 Port1 10.81.235.117 10.81.234.123 53181 445 TCP 1
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51598 445 TCP 2
22-04-2020 09:40 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51597 445 TCP 1
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 40 Port4 Port1 10.81.235.117 10.81.234.104 51578 445 TCP 2
22-04-2020 09:34 Firewall Rule Allowed test@domain.net 34 Port4 Port1 10.81.235.117 10.81.234.120 51577 445 TCP 1

We see this for all users. No patterns. Not simultaneously. Sometimes STAS has to be disabled/re-enabled on XG to get users authenticated.

Anyone know what we may have misconfigured?

Thanks

This thread was automatically locked due to age.

Parents

0 Keyur over 4 years ago

Hi jkm005

Could you please check - https://community.sophos.com/kb/en-us/125468

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Keyur over 4 years ago

Hi jkm005

Could you please check - https://community.sophos.com/kb/en-us/125468

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jkm005 over 4 years ago in reply to Keyur

Ok so here's what happens.. My workstation IP is 192.168.1.120 I am connect as user: test .. I connect to RDPserver with IP 192.168.2.100 using other username: testRDP

So now STAS think testRDP is logged on to my IP (192.168.1.120 is not the IP of RDPServer):

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: User: testRDP

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: Domain: domain.net

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: WrkstName: RDPServer

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: WrkstIP: 192.168.1.120

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: CreateTime: 1587638919

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_log_userinfo: LogonType: 10

DEBUG [0x17a4] 23-04-2020 12:48:40 : Adding user info to db and Sophos

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username: comparing username for exclusion: User from UTM 'testRDP' (6) : User in the list 'svc_whd@domain.net' (19)

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username: comparing username for exclusion: User from UTM 'testRDP' (6) : User in the list 'administrator' (13)

DEBUG [0x17a4] 23-04-2020 12:48:40 : dca_filter_by_username

DEBUG [0x17a4] 23-04-2020 12:48:40 : userdb_handle_duplicate_userinfo: select query: SELECT * FROM UserInfo WHERE wrkst_ip=='192.168.1.120';

DEBUG [0x17a4] 23-04-2020 12:48:40 : userdb_insert_userinfo: no matching userinfo found
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to jkm005

Hi jkm005

Please refer to this - https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/37694374-stas-should-ignore-logins-to-remote-desktop-sessio

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 4 years ago in reply to Keyur

Thank you - that's seems to be exactly the problem. No solution from Sophos it seems :/
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to jkm005

Hi jkm005

I understand your concern and point you are trying to make but as of now it is working as stated, Please upvote the feature request shared in the previous post.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 jkm005 over 4 years ago in reply to Keyur

I have upvoted
Cancel
Vote Up 0 Vote Down

Cancel