This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion
Parents
  • All Central managed Accesspoints are showing as offline after MR3 to MR4 upgrade.

    Logfile shows, they are running and still communicating with Central Domains, no blocks. But byte sent: 0 in webfilter log - so there is some communication issue.

    APX320, APX530 APX320X

    APs are in a VLAN, bound to / routed by XGS.

  • __________________________________________________________________________________________________________________

  • Thanks for your post and writing that linked article! Will go through that.

    I just found PolicyID 3 is the manual drop+log rule. Showing as green. I don't mind, that is a long known issue.

    I doublechecked the correct fw rule for the accesspoints uses the correct hosts, ports and zones exists and matches. it does. re-saving the skipped firewall rule does not help so far.

    will report back.

  • It was XGS's wildcard DNS name resolution issue. We allow:

    that *.prod.hydra.sophos.com resolves correctly.

    That's a screenshot of the IPs resolved to the wildcard FQDN host:

    But the firewall rulehas not been hit by the traffic, it ran through the rule set until the block+log rule.

    So I created a new FQDN host for the full FQDN wifi-cloudstation-eu-central-1.prod.hydra.sophos.com, no wildcard

    We can see the same IPs in that new created object.

    Added it to the firewall rule above and only seconds after saving the rule, the APs showed online in central.

    Central:

    So SFOS has issues with wildcard FQDN of Sophos.

Reply
  • It was XGS's wildcard DNS name resolution issue. We allow:

    that *.prod.hydra.sophos.com resolves correctly.

    That's a screenshot of the IPs resolved to the wildcard FQDN host:

    But the firewall rulehas not been hit by the traffic, it ran through the rule set until the block+log rule.

    So I created a new FQDN host for the full FQDN wifi-cloudstation-eu-central-1.prod.hydra.sophos.com, no wildcard

    We can see the same IPs in that new created object.

    Added it to the firewall rule above and only seconds after saving the rule, the APs showed online in central.

    Central:

    So SFOS has issues with wildcard FQDN of Sophos.

Children
  • Updated our main XG430 from MR3 to MR4.

    There we have the same issue with two central managed AP320X.

    wifi-cloudstation-eu-central-1.prod.hydra.sophos.com/

    is not reachable although we have configured access to *.prod.hydra.sophos.com in a firewall rule. Traffic runs through the ruleset and finally hits our drop rule.

    APs were online for about 45minutes after the upgrade but then went offline and we could notice the same issue in log viewer ->  webfilter.

    Policy 5 is our block+log rule.

    Can Sophos explain what is happening here, please?