This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple MAC active directory users not registering on XGS firewall

A customer has a major number of Apple MAC OS computers.
The Devices are Active Directory joined, all have Sophos Endpoint Protection installed, the users log onte the computers with active directory credentials.

All the customer's locations have Sophos XGS firewalls with full Sophos Central connection activated.

All the Windows Clients/Users are beeing correctly registered as active users on the firewalls.

From the Apple MAC OS computers/users we cannot even see any log-on process on the firewalls logs.

The customer wants to implement user-based firewall rules
We need therfore to have the Apple MAC OS users register consistently on the firewall as active users.

How can we do this?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Do you see health status events in heartbeat.log for endpoint installed on MAC OS? This event indicated that the endpoint has sent health status to XG.

    Example log snippet:

    a 2019-10-23T18:39:41.780Z [4616:5628] - Sending login status.

    a 2019-10-23T18:39:51.211Z [4616:5628] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Do you see health status events in heartbeat.log for endpoint installed on MAC OS? This event indicated that the endpoint has sent health status to XG.

    Example log snippet:

    a 2019-10-23T18:39:41.780Z [4616:5628] - Sending login status.

    a 2019-10-23T18:39:51.211Z [4616:5628] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}

Children
  • Good morning, I cannot find a "heartbeat.log" file under "/log" on the firewall(s).

    There is only a "heartbeatd.log" file there.

    There I can see as an example the following entry for a MAC OS client:

    [2021-10-14 10:06:47.939] INFO HBSession.cpp[8756]:502 logNewSession - New Session: [10.13.8.90]:46569 connected
    [2021-10-14 10:06:47.978] INFO EndpointStorage.cpp[8756]:114 endpoint_connectivity_cb - Connectivity changed for <14e242a0-0e3c-4f14-a84d-a854274bc262>: <5> -> <1>
    [2021-10-14 10:06:47.978] INFO ModuleSacFirst.cpp[8756]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=10.13.8.90)
    [2021-10-14 10:06:47.978] INFO ModuleStatus.cpp[8756]:138 processMessageStatus - Status request received from endpoint: 14e242a0-0e3c-4f14-a84d-a854274bc262 (10.13.8.90) health: 1

    Is it what you were looking for?

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • I've also checked on the customer's firewall.
    There's a MAC OS client there, whose IP I know and that is registered and active in Sophos Central.
    But I cannot find its IP adress in the "heartbeatd.log" file on the corresponding firewall.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • On another firewall of the same customer I could find the following entries.

    On one it seems to be working:
    [2021-10-18 11:37:59.671] INFO HBSession.cpp[12953]:502 logNewSession - New Session: [10.40.0.203]:33779 connected
    [2021-10-18 11:37:59.693] INFO ModuleSacFirst.cpp[12953]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=10.40.0.203)
    [2021-10-18 11:37:59.693] INFO ModuleStatus.cpp[12953]:138 processMessageStatus - Status request received from endpoint: cd3afd3b-0b2e-419e-ba53-0f223e672db2 (10.40.0.203) health: 1

    On the other I can see a failure to connect:
    [2021-10-18 12:03:30.871] WARN HBSession.cpp[12651]:341 bufferDisconnectEvent - Incoming connection from 10.30.0.107 failed. SSL error: SSL routines:ssl3_read_bytes sslv3 alert certificate expired

    Also I checked on the firewall for the former posting.
    The user has installed the "authentication client" on his MAC OS computer and it is registering the user on the firewall.
    Is it possible, that using the "authentication client" stops the device from registering the hearthbeat on the firewall?

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner