Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS Zero Touch Deployment

Hi,

I've set up a new and fresh XGS116 and add it to receive a ZeroTouch config from the central, however I'm seeing all kinds of errors regarding access denied, I don't know what to do anymore. The firewall has been added to the central with the correct serial, but still... Do you guys had any luck with it?





This thread was automatically locked due to age.
Parents
  • So i tried it in the past multiple times. But it seems like your Central Account has an issue with this process.

    Which Region of Central do you use? 

    And which Firmware Version is installed on this firewall? 

    __________________________________________________________________________________________________________________

  • The firmware is the latest, 20.0 MR1
    Our cenral is located in Oregon. I know there are some issues regarding availability with the Switches and regions, is it the same for this funcionality?

  • Should not be the case. I will look into this in more detail. Do you have created a support ID? 

    __________________________________________________________________________________________________________________

  • Case number is 07454392.

    The attendee pointed me a documentation that says that what is required is a firewall witn 20.0 MR1 or later, but also says that Zero Touch is available for a number of devices with specific serial numbers and revisions. As per my understanding i'm just REQUIRED to have a device with 20.0 MR1 and the for firewalls with those serial numbers and revisios would work out of the box... Am I right, or do I actually need these hardware revisions AND the 20.0 MR1 ?

  • Video within documentation states this is an additional requirement. 
    So Appliance need to have qualified serial number AND run at least 20MR1.
    docs.sophos.com/.../index.html

    Your logfile above shows "Access Denied, EAP invitation is not active" and "No valid CZT config [..] found for this firewall"- so SFOS might try or fallback to the previous beta "Controlled ZeroTouch / CZT" (available from 19MR1), instead the new real ZeroTouch, as Serialnumber-requirement is not met and your tenant is not part of CZT EAP. docs.sophos.com/.../index.html

  • Well, that's a bummer hahaha
    Thanks the explanation.

Reply Children