Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 2030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

help. access point in a remote branch unable to reach controller in hq

Vhince Chua

Hi Everyone,

 

 In our environment, we have two branch offices. Branch1 has its own Sophos UTM, Branch2 has no Sophos UTM. 

 

Branches are connected to an MPLS network to the HQ.

 

Branch2 Access Points are discovered and controlled in the HQ, users in Branch2 are enjoying wireless connection.

 

After an update with Palo Alto, users in Branch2 are not able to connect to wireless connection, client machine are not able to get IP address but able to discover the SSID. (A)

 

The team then steer the traffic for 1.2.3.4 to point to Branch1, after that users in Branch2 are able to connect again to Wireless.(B)

 

Right now, the Sophos UTM in Branch1 will be decommission. Branch1 and Branch2 access points must connect to HQ Sophos UTM. (C)

 

The team had an activity few days ago, and it had the same issue for Branch1 AP (Users are able to see the SSID but not able to connect, Sophos UTM in HQ is able to discover the AP's in the Branch1 and able to change its settings). We had configured Palo Alto NGFW to allow ANY in the security policy, and no scanning as well but still failed.

 

In this situation, the team need to understand how Wireless AP connects to Sophos UTM. Information obtain here can be used to further evaluate security settings in the PA NGFW.

 

Thank you



This thread was automatically locked due to age.
  • 0

    Ahlan Vhince,

    I bet you will find that 1.2.3.4 is blocked in one of the Palo Alto logs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello BAlfson, 

    Thank you for the information, network 1.2.3.4/32 is routed well between HQ Sophos UTM and Remote branches as it is needed for Sophos UTM to discover and configure Access points.

    The team simulated a test network that bypassed the Palo Alto appliance, and it was able to discover and operate a remote AP, wireless client is able to connect to it as well. But for the test network behind the Palo Alto appliance, it was able to discover the AP but wireless client was not able to connect to it.

    After doing some research here in the community, Sophos AP is communicating to Sophos UTM thru a special OpenVPN connection. 

    Regards

Unfiltered HTML