Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

  • Change OTP token's user via API

    Hello, I want to change users of all OTP tokens on all of our firewalls because of domain change. Users with new domain already exists on the firewalls and I can change them manually via web GUI, but as we are talking about hundreds of tokens here,…
  • Generate OTP token with next sign-in

    Hi, I recently upgraded to SFOS 17 to 19.0.1 MR-1 and I used to have access to the user's QR codes as admin. This was handy with remote users when they got new phones or lost their phone I could easily add the OTP token back to their new phone. I understand…
  • AD SSO - Cannot establish NTLM authentication channel with xxx

    Hi, We use AD SSO and Ketboros and everything is working fine however we are getting this message in the logs 'Cannot establish NTLM authentication channel with xxx' Message ID 17945. What is this and how can we stop it please ? Many thanks …
  • Sophos XGS and AD sync

    Hello, Have 2 questions related to user authentication. 1. Do we know the sync interval between Sophos XG and Active Directory. .We have disabled few users from AD, however they are still able to authenticate against Sophos Firewall via a captive…
  • Sophos XG and Duo MFA not working properly, new setup

    I am facing an issue with setting up Duo for the Sophos XG firewall. I know Sophos has not built out their dedicated API to work with Duo yet (need to resort to using Sophos UTM application protection in Duo), but I have confirmed that this is working…
  • Captive Portal for Vlan

    Hi Fellas. I just wanna test Captive Portal scenerio where a guest wants to connect to network, and before access any resources it must authenticate <-- i think that is obious. So i decided to check it on SophosXG where some things are done much different…
  • 2FA with AD-Groups

    Hi, we have turned on 2FA for all our users for VPN and userportal. Currently each user has been added individually to "Multi-factor authentication (MFA) settings". By doing this we were most flexible. So far so good. Now we want to switch…
  • Sophos(STAS) logs out AD users

    Hello, everyone, In our network we use STAS. a few days ago we disabled NTLMv1 in the network and since then every 5 to 10 minutes all users either get no internet access or get Captiv Portal windows through their browser. Apparently the users are logged…
  • XGS 136w - How to setup up STAS and/or SATC for WIndows Remote Desktop?

    Hi. Been a previous user of Cyberoam firewalls and have a site with Sophos XGS136w device. The firewall is AD integrated, and the domain has STAS configured and operating. This site has a vast majority of users on a Windows RDP server. I'm attempting…
  • 2FA + CAA on Linux or MacOS clients - poor usability

    Hello, we have Linux with Sophos Antivirus and MacOS Clients with Intercept X installed. On the firewall we have many rules with userauthentication (and heartbeat) required. We enabled 2FA for many users to secure our SSL VPN. The users are required to…
  • Sophos Connect SSL authentication with Windows Server Radius

    Hello, we have an XGS 2100 (SFOS 19.0.1 MR-1 Build365).and we tried to configure (without luck) SSL Authentication using a Windows Server Radius. We always get "authentication failed" using "test connection" button (I know that pap must be enable…
  • Sophos Firewall | Active Directory Users Not syncing to the groups correctly

    Issue A customer is faced with a strange problem in the Sophos XGS Fw (v19), After rebooting the firewall or the Active Directory server, certain users are no longer in their group. We add all the subnets to the STAS and log in to the user portal…
  • Firewall / web filter user authentication - Microsoft accounts

    Hi All, I'm currently using CAA to authenticate users to the firewall so that user group-specific rules can be applied. However, it has some issues, especially when a PC is used by more than one user - it installs in the first user's profile folder…
  • Custom STAS collector

    Hi, Is there or could Sophos provide the documentation of the protocol or API to implement a custom STAS collector ? If we could develop our own STAS collector, we could authenticate users already authenticated with a 3rd party VPN solution. …
  • Cannot establish NTLM authentication channel with <domain>

    Hi, I recieved this Firewall log, and I don't know what is. Can someone explain for me what is this please? Thanks Carlos
  • One account, one password with MFA on different phones

    I have two independent users that use the same login and password. One of the users has installed the MFA QR code. I would like for the other user to have his own Authenticator. Is this possible?
  • AD SSO not working without proxy on Sophos XG 18.0.1 MR-1-Build396

    Hi, We have setup proxy on client computer for the sophos xg and AD SSO in place and it just works fine; user starts browsing, gets seemlessly authenticated via AD SSO and surfs on... Now my organization wants to get rid of proxy settings, the traffic…
  • User permanently logged in XG/Linux caa

    Hello,from time to time I try to run the caa client in different ways (*1) never works. However I've noticed I've been logged in the firewall for a few months now. I leave the office daily and take my laptop with me yet the user is still present in…
  • Missing communication between STAS Agents and STAS Collector

    I wanted to share my observations regarding communication problems between STAS Agents and Collector. We have three domain controllers, one primary and two backup. I installed the nevest STAS application on each of them. One of them was launched in…
  • CAA Certificate "Copernicus UTM" expired silently - 1.2.3.4:9922. CAA Clients terminate

    The CAA certificate on our XG 18.5 MR4 has expired without any warning. Nice! So all our clients with CAA cannot authenticate against that firewall. How would Sophos resolve that issue withour recreating the ApplicanceCertificate? C:\OpenSSL…
  • SFOS 19.0.1 Captive Portal not using singed certificate

    Updated Updated from SFOS 18.5.4 MR-4-Build418 to SFOS 19.0.1 MR-1-Build365 Captive portal is not using my uploaded signed certificate, Admin portal and user portal are using correct certificate. Same…
  • UTM SG450 seems to lose Internet connection with users

    We have the SG450 migrated to XG Firewall software, users began randomly to lose internet connection and have different error messages. Like those I'm attach here. Is it possible to tell me how to solve this big problem, because it is really frustrating…
  • Frequent logging out of users in Sophos XG Firewall

    We are facing a problem of users getting logged out quite often and reopening of the captive portal again and again in a very short interval. I will be describing my scenario in detail below We have ~9000 users in our system We have 2 XG 750s in…
  • Is it possible to disconnect as a user of the equipment?

    I have a doubt as administrator of a small network, and is it possible that the user who enters through captive portal, can leave your account by your own means ?. No need for me to remove it from the system through the administration interface.
  • How do you connect to Sophos AP 55? Through wpa2 password or Sophos XG Firewall User Login?

    Good day to all, Please excuse me for this noob question. I need clarification about how user authentication works in Sophos Access Points. I am eyeing Sophos AP 55 for home use, but I don't know if the AP 55 can do what I need. What I am looking for…