Sophos XG Monitoring HA

RE: Sophos XG Monitoring HA

LuCar Toni — Thu, 21 Jul 2022 12:42:13 GMT

Did you or somebody eventually cleared the alert? Because the alert should be generated on those dates as you can see.

RE: Sophos XG Monitoring HA

Michael Schneider — Thu, 21 Jul 2022 09:19:58 GMT

I checked the central the approach, but i am "stucked".

We have a faulty HA Status in Central, which is actually shown in the firewall status:

I crawled through all central events on this specific customer as a test but could not find any "fail" event.

There are not that much firewall events and i found those 4:

But they explicitly said the HA Status is not impared, which could be happen on a failover or firmware update or just a reboot. It is a warning, which at least for me says: everything is, but one note is rebooting or do i missunderstand? And it seems to happen 4 times with a recover after that, i found the recover events, but not for every date:

Seems to be No Recover Event for Juli 16. and Juli 20. But two 2 the 27. Mai.

Do you have any more details about the event you mean?

Thank you.

RE: Sophos XG Monitoring HA

Michael Schneider — Thu, 21 Jul 2022 08:58:26 GMT

I don't know :)
There is just no option:

RE: Sophos XG Monitoring HA

JasP — Thu, 21 Jul 2022 08:47:57 GMT

Why is it that you can't add a "Local service ACL exception rule" for SNMP? You can add one for just about any service that you may want to access via the WAN connection but not SNMP

RE: Sophos XG Monitoring HA

Michael Schneider — Thu, 21 Jul 2022 07:02:47 GMT

I did not say that there is bug. But there are alot and just wrong documentation.
Something like this, just as one of alot examples:

I read "Datatype" is INTEGER. Expecting a Number with Range of 0 - 2 as explained in the Note.

The Actual Result is a String containing Enable, Disable 😀

You just can't trust the api documentation 🙂

RE: Sophos XG Monitoring HA

LuCar Toni — Thu, 21 Jul 2022 06:50:24 GMT

I do not see the bug in your initial post. Because the API is a configuration API, not a status API. This means, you do not have access to some of those live events and status updates of certain parts of the hardware.

Nevertheless, Central API will be extended by firewall API. There "should" be a HA flag in Central as well.

RE: Sophos XG Monitoring HA

Michael Schneider — Thu, 21 Jul 2022 06:19:21 GMT

Hey Lucar, i will give that a shot aswell. The i am really hoping that at some point you can actually do and monitor xg's via central api.
Thanks for the the idea. I do not like the concept of monitoring a log insteaed of of the actual current status, but i guess it is better than nothing.
I just don't understand why the sophos xg web api is lacking alot of features and there are a lot of bugs ;) Would be nice to have a single source of monitoring :)

RE: Sophos XG Monitoring HA

LuCar Toni — Wed, 20 Jul 2022 15:55:51 GMT

I would recommend to use Central for this.

Central will generate an alert specifically for degraded HA State. So you can monitor via API this particular Alert.

If the alert comes up, you can call for next steps.

See: https://developer.sophos.com/

RE: Sophos XG Monitoring HA

Michael Schneider — Wed, 20 Jul 2022 11:46:04 GMT

Thanks :) I don't see the HAState metioned above until now but sophos already did "kill this" idea.
I need a WAN side Monitoring and we disable anything on the WAN Zone. But setup a LocalACL Rule for our IP Only with https and userportal. But for whatever reason you cannot enable SNMP in a Local ACL Rule :)

RE: Sophos XG Monitoring HA

Vivek Jagad — Wed, 20 Jul 2022 11:40:42 GMT

Hello Michael Schneider,

Here are the useful links below:
> https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Other-documents/SOPHOS-MIB.txt?la=en
> https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/SNMP/index.html#snmpv3-users-and-traps
> http://www.net-snmp.org/docs/mibs/index.html
> https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SNMP.html

RE: Sophos XG Monitoring HA

Michael Schneider — Wed, 20 Jul 2022 11:32:20 GMT

Hi Vishai,

I will give that a shot, but the hole point of me using the webapi is that i can query it via WAN which i can't or well i would not love to do with snmp 🙂 Dou you got any details oids for this ?

RE: Sophos XG Monitoring HA

Michael Schneider — Wed, 20 Jul 2022 11:30:43 GMT

Hell Bharat, thank you for your time and answer. I do not actually see a way to automate this in a good way.
I would like to activly pull a status from the device and not monitor some logs which might have a occurance of "xyz"

RE: Sophos XG Monitoring HA

Vishal_R — Wed, 20 Jul 2022 11:22:57 GMT

Hi Michael Schneider Thank you for the detailed information. How about managing HA status alerts via SNMP? In SNMP we have HA state MIB and that will help you on your actual requirement of "Monitoring HA status".

HaState ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION "enumerated type for HA State"
SYNTAX INTEGER {
notapplicable ( 0 ),
auxiliary ( 1 ),
standAlone ( 2 ),
primary ( 3 ),
faulty ( 4 ),
ready ( 5 )

RE: Sophos XG Monitoring HA

Bharat J — Wed, 20 Jul 2022 10:52:52 GMT

Hi Michael Schneider

Thank you for reaching out to the community, please verify the logs for below command to identity the issue :

Connect to the Sophos Firewall console by using one of the following methods:
- Connect by using a Secure Shell (SSH) such as PuTTY: Sophos Firewall: SSH to the firewall using PuTTY utility
- Open the Console from Sophos Firewall's GUI by going to Admin > Console.
Sign in and select 5. Device Management > 3. Advanced Shell.

cat /log/msync.log | grep “ha:”

cat /log/applog.log | grep “ha:”

Thanks and Regards