Hi everyone,
I have a full Sophos environment with an XGS firewall, Intercept X endpoints, and Sophos Central.
On the firewall, I have Active Directory authentication configured and STAS running on the domain controller.
My firewall rules use the "Match Known User" option and reference specific Active Directory users or groups.
The issue I’m facing is that, while most of the time user authentication works fine, sometimes a few users are not authenticated and don't appear in the "Live Users" list on the firewall, so they can't access resources behind policies requiring user match.
Additionally, I noticed that some users appear in "Live Users" authenticated via STAS, while others appear authenticated via Heartbeat.
I don't understand why Heartbeat doesn't always handle authentication for all users, since all endpoints have Intercept X installed and are connected to Sophos Central.
My questions are:
-
What could cause these intermittent authentication failures where users are not shown in Live Users?
-
Why does authentication sometimes happen via STAS and sometimes via Heartbeat?
-
Considering I have a complete Sophos ecosystem, what is the best and most reliable method to authenticate users on the firewall and apply user-based firewall rules (micro-segmentation)?
Any guidance, recommended configuration, or official documentation link would be appreciated.
Thank you!
Edited TAGs
[edited by: Erick Jan at 12:06 AM (GMT -7) on 4 Apr 2025]
Quote