Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
In our environment, we have two branch offices. Branch1 has its own Sophos UTM, Branch2 has no Sophos UTM.
Branches are connected to an MPLS network to the HQ.
Branch2 Access Points are discovered and controlled in the HQ, users in Branch2 are enjoying wireless connection.
After an update with Palo Alto, users in Branch2 are not able to connect to wireless connection, client machine are not able to get IP address but able to discover the SSID. (A)
The team then steer the traffic for 18.104.22.168 to point to Branch1, after that users in Branch2 are able to connect again to Wireless.(B)
Right now, the Sophos UTM in Branch1 will be decommission. Branch1 and Branch2 access points must connect to HQ Sophos UTM. (C)
The team had an activity few days ago, and it had the same issue for Branch1 AP (Users are able to see the SSID but not able to connect, Sophos UTM in HQ is able to discover the AP's in the Branch1 and able to change its settings). We had configured Palo Alto NGFW to allow ANY in the security policy, and no scanning as well but still failed.
In this situation, the team need to understand how Wireless AP connects to Sophos UTM. Information obtain here can be used to further evaluate security settings in the PA NGFW.
I bet you will find that 22.214.171.124 is blocked in one of the Palo Alto logs.
Cheers - Bob
Thank you for the information, network 126.96.36.199/32 is routed well between HQ Sophos UTM and Remote branches as it is needed for Sophos UTM to discover and configure Access points.
The team simulated a test network that bypassed the Palo Alto appliance, and it was able to discover and operate a remote AP, wireless client is able to connect to it as well. But for the test network behind the Palo Alto appliance, it was able to discover the AP but wireless client was not able to connect to it.
After doing some research here in the community, Sophos AP is communicating to Sophos UTM thru a special OpenVPN connection.