Feature Request - Better Identification of Unidentified Devices on Reports

A good request. At this stage you need to use clientless and static address assignment and even then you only get the details in some reports. I suspect, but haven’t tried because my windows server died that using an external dns that is linked to the DHCP server might provide better results.

ian

Our Sophos is connected to our Windows AD servers and DNS but unless they are authenticated with STAS or the authentication client there is no other identification, they just show up as Unidentified in the reports. Was hoping they would have at least identified the host by the host name in DHCP seeing as the Sophos is providing that service and has that information at its disposal. There should be a way to at least drill down to that information without having to jump through hoops and check the DHCP leases in hopes that the person is still on the network and still has the same IP. Detailed DHCP logs would go a long way in enabling this capability, cross the time of the violation with the IP address in the DHCP log and bingo, you got your host name.

Might be a little more effort than you're wanting to exert but a solution to this is to utilize DHCP-MAC Reservations in your DHCP Server and configure clientless users based on IP if your current infrastructure doesn't support a domain environment. Another alternative to STAS is Central Sync, Heartbeat will allow you to identify a user and it's associated IP address if you have a dynamic shared space environment where a user isn't necessarily tied to a particular machine...

Just some ideas! 

Let's think about this, if the Sophos is the DHCP server it already has all of the information needed to identify a client it is leasing an address to. It has the MAC, it can usually get the host name, and obviously it knows the IP address. How hard would it be for Sophos to create a script that takes that info and automatically creates a clientless profile for that machine? Maybe we could have that as a checkbox or radio button on the DHCP page, Automatically create clientless profile? Y/N? Some machines such as servers never have anyone logged in so they are never identified in reports. Same holds true for other devices like cell phones, printers, IP cameras,  IoT devices. It isn't the known devices we are worried about, it is the unknown. When I see a large amount of traffic in my reports coming from "Unidentified" that is rather disconcerting on a device that touts itself as "identity based". The XG should try to get as much identity information as possible and present what it knows to the user, we should not have to go digging for information we know is there and easily accessible.

Hi JTB,

some of the issue is that the DHCP server is not used by all functions within the XG, in fact not all objects are accessible from all the points you would expect to seem them eg you have to re-creatre objects to use in some firewall rules.

One day when Sophos finally decide to make a common objects database within XG, creating rules and reports will be a lot more sensible as well as easier. This issue is an ongoing issue/concern for many users of the XG.

Ian

I agree on the idea. The problem is the missing links between different pgres tables. Information is there but tables are not linked.

Reporting and logging are already ver slow and I think that without a re-engineering process, they are struggling to add more references. This is my point of view.

Try to export iphosts from export feature and you will see how slow is the export. You wait for more than 2 minutes for an xml file compressed in tar.

For sure, Sophos need to optimise the resources before adding layers and layers and features on it.

Hi Luk,

"For sure, Sophos need to optimise the resources before adding layers and layers and features on it."

Wasn't that why they bought Cyberoam instead of improving the UTM because it was becoming bloated with so many features that worked and customers wanted?

Ian