As far as I understood, the ‘Support access’ allows the Sophos support engineer to access the firewall via SSH and WebAdmin. Is that correct? Why would a support engineer also need additional SSH?
Added TAGs
[edited by: Raphael Alganes at 10:13 AM (GMT -8) on 8 Jan 2025]
This is regarding your service request number 02017337. Thnaks for your time over zoom session today.
As discussed we wre unable to access ssh to the firewall to check the logs and find the root cause of the issue, please let us know when we can have a session as we need to access it locally over ssh.
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner Sophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
I think they mean here that they want to control your laptop and SSH from inside your perimeter to the firewall. They've asked me in the past to do a screen-sharing session on my laptop with a particular piece of sharing software they like, and I always refuse that.
Right, they've always recommended some program they want me to download. I refuse, of course. But we've found a different answer than screen sharing each time. If I _had_ to screenshare to literally show them something, as you say I'd use Zoom or maybe Google Meet that's more neutral would never involve allowing them to control anything.
P.S. On a totally different topic, I should be getting an XGS108 in the next couple of hours, so I'm not moving to the Big Leagues like you, but increasing my ports and RAM by 50% and gaining storage so I can debug (logs) and do some on-device reporting. I keep refreshing the FedEx page to see what's up.
From my understanding 99% of the time the standard Support Access (tunnel) works, and gives support access to both WebAdmin and ssh (which is often used to look at debug logs). However for some customers with complex network setups (for example if the Sophos Firewall is behind another firewall that restricts incoming access) it may be that the Support Access does not work. In that case they may ask for an alternate way of accessing.
Yeah, I got a good deal on the 108 as well -- though it required 3 years XStream, which I've been doing a year at a time, but the deal's worth it -- and the 108 is probably well-sized for our use case. At any rate, won't get a storage-less device (87 or 88) ever again. Not worth the hassles of not having on-device, extended logging. On-device reporting's pretty cool as well.
The possible reason could only be that they are unable to get your device access using Access ID. You may regenerate the access ID and ask TAC if they can access your device via SSH or not.
Quote