Sophos Captive Portal bizarre issue

Hi

I was wondering if someone can point me in the right direction.

We had recently installed an XG firewall to replace an age Juniper firewall.

In moving to Sophos XG we wanted to get away from our explicit proxy in internet explorer.

So to gently move us across we added an alias to the interface. We have also setup STAS etc.

Now everything seems to be working ok at first, however once untick the "use a proxy server for your lan" then I the below.

if i put the proxy back in then it works again,

Does anyone know why this might be?



Edited TAGs
[edited by: emmosophos at 8:43 PM (GMT -7) on 13 Oct 2021]
  • What do you mean by use a proxy server? Because i am not able to locate such a option in SFOS. 

    Essentially: If you have under Live Activities - Live Users some information, this IP will be matched with the user, listed there. So this should not bring up any kind of Captive Portal. This looks not like a SFOS webpage. 

    __________________________________________________________________________________________________________________

  • Hi there

    Thanks for getting back to me!

    That settings in Windows, so in Internet options. If i tick that internet seems to work but if i uncheck it (which is what we want to achieve) then it throws up the connect to a network page.

  • The IP: Is this the Sophos Firewall or the old firewall? 

    __________________________________________________________________________________________________________________

  • The was of the old firewall, but we have added it as an alias on the LAN interface 

  • Hello Yuksun,

    Adding to what Luca has mentioned since you aren’t going to be using the Proxy settings in the browser, I would focus my attention, on how STAS is configured and if the XG and STAS are seeing the authentication request.

    Take a look at this RR about STAS.

    Also make sure your Firewall rule for Matching known users are set on TOP of the Firewall and there are not conflicting Firewall Rules. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thank you for that. i'll take a look into the article.

    Sorry I forgot to add - Did some troubleshooting yesterday but it seems that some users are getting the error but some arent.

    The firewall rule isnt at the top, its right at the bottom "LAN to WAN". 

    Much appreciated!

  • Hello Yuksun,

    Thank you for the screenshot and follow up.

    What is the difference between the users getting the error and those who aren't? For the ones that aren't do you see their entry in the STAS in the DC and in the Firewall as Live Users?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmo,

    I cannot see any difference if im honest. They are all logging onto domain joined PCs, The users that can log in are showing on the live users. But not the ones that are asking to log in. I've been through the article you sent me and have made some changes on GPO regarding the firewall. I'll see if it makes any difference.

    Whilst I await this would you be able explain the STAS settings? Because the settings below on our Sophos XG (im guessing are default settings) is different from the best practice article. I have read the link with the article which states 

    When the XG Firewall detects non-authenticated traffic from an IP, STAS will put this IP in Learning Mode and send a request to the collector for user information from this IP. While in a learning status, the firewall drops the traffic generated from this IP.
    Starting from SFOS version 17.05 GA, there is a new feature called Restrict client traffic during identity probe. This is set to Yes by default which results in the behavior of the Sophos Firewall, as explained above. If Restrict client traffic during identity probe is set to No, the Sophos Firewall will allow unauthenticated traffic (during the specified Identity probe time-out) and process this unauthenticated traffic using the firewall rules unauthenticated traffic accordingly.

    Why would it be a best practice to have this set "Restrict client traffic during identity probe" to No?

    Also what does enable user inactivity do? I cant find anything about what this does?

    Apologies I'm pretty new to the Sophos game!

  • Quarantine of identity probe sounds in theory good but in the implementation, the authentication can take some seconds, which leads to timeouts for clients. Therefore most customer disable this for user experience. 

    __________________________________________________________________________________________________________________

  • Hi Toni,

    Many thanks for clarifying. i'll go make this change later in the day Slight smile

    Thank you!