This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy to allow Sophos Central - New firewall setup

Hello,

I am new to the Sophos world and have a new SX135W that I am working to get setup. We migrated policies from and older SG230 and now seem to have broken the connection to Sophos Central. I added a rule to permit any traffic to Sophos LiveCentral and it is back to "Connected" but am still unable to select and modify the new firewall. I am not even sure that is the proper way to write the rule and wanted to see about what should be there to allow traffic between the SX and Sophos Central. Also are there any other basic policies I should make sure are added as part of the new config to make sure other services like this work properly?

Thanks in advance ....

Brent



This thread was automatically locked due to age.
  • Hi

    I have moved the thread to the relevant group. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Brent,

    you do not need a firewall rule to allow connection to CM, access is managed from within the GUI Central Synchronization.

    What error do you see in CM when you try to modify the XG?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Until I added a rule to allow any traffic to Sophos LiveCentral it was not even showing as connected in the UI of Sophos Central. Now it at least shows connected but with I try to select the firewall it tries 6/6 times to connect and times out. This morning it is back to not having checked in with Sophos Central in over 4 hours.

  • Hi,

    there is something odd with your configuration  because the rules affect traffic from internal to external not external to remote sites unless you have a drop rule affecting specific sites seeing traffic to a dead end?

    Mine works fine without a specific firewall rule.

    Tere is a line above the last screenshot that I have not included because it contained specific registration details.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Brent,

    Thank you for contacting the Sophos Community!

    Have you followed this KB, which is basically what rfcat_vk is referring to.

    Make sure you don't have a Firewall rule set to drop ANY to ANY, and also let us know if you are running v17 or v18

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • It was integrating fine with Sophos Central until we imported the config from the old unit. I will go through the policy config. It would not even show connected until I added the policy to allow traffic to Sophos Live Central. I will be going back through the rules this morning and see what I can find. This is a unit that I inherited so not sure what all the rules are at the moment.

    It did upgrade to the latest firmware so is running V18

    Thanks ,,,

  • In looking at the rules on the firewall, I do have a drop all at the very bottom that is grayed out and so far unable to change or delete. Thoughts on how to remove this if that is the issue?

    Brent

  • Hi,

    the bottom rule is a default drop all, you cannot delete it. The rule was displayed after e number of posts complained that the drop all default rule was not visible and causing people to create extra rules.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello Brent, 

    Thank you for the follow-up.

    Please provide the output of the following 3 commands:

    # central-register --status

    # openssl s_client -connect utm.cloud.sophos.com:443

    (For this one, just copy the lines until before --BEGIN CERTIFICATE--

    # wget -O /dev/null utm.cloud.sophos.com

    And if the XG is showing in Central, and if you are able to click to access to it, please run the following command in the XG while you are tying to access 

    # tcpdump -nei any host utm-cloudstation-us-east-2.prod.hydra.sophos.com

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • XG135w_XN02_SFOS 18.0.1 MR-1-Build396# central-register –status

     

    This SFOS instance is currently registered with Sophos Central

     

      access_token        : ee0c658713627d65c0fd6e0253ef798283b8a0b7

      device_uuid         : c341194b-c0dc-4c87-ad7c-6c6747ba6b47

      pic_uri             : utm-cloudstation-us-east-2.prod.hydra.sophos.com

      refresh_token       : ALWad8ogMxKzKbTS5jViDNcQ2mqGR00vn4BmJpHn9_00bsBJeE3cqMrk7AO7mrpb16OsQ1dg5JcxWqvPnp4MXg9hoK9YBC8nucHpPgRSpRngIUREVey2DabLUiQOWVbRdV_O7nSXrkSpAvhU3bdM_CA

     

    XG135w_XN02_SFOS 18.0.1 MR-1-Build396# openssl s_client -connect utm.cloud.sophos.com:443

     

    CONNECTED(00000003)

    depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

    verify return:1

    depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2

    verify return:1

    depth=2 C = US, O = Amazon, CN = Amazon Root CA 1

    verify return:1

    depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

    verify return:1

    depth=0 CN = central.sophos.com

    verify return:1

    ---

    Certificate chain

     0 s:/CN=central.sophos.com

       i:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon

     1 s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon

       i:/C=US/O=Amazon/CN=Amazon Root CA 1

     2 s:/C=US/O=Amazon/CN=Amazon Root CA 1

       i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2

     3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2

       i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority

    ---

    Server certificate

     

     

    wget -O /dev/null utm.cloud.sophos.com

     

    HTTP/1.1 400 Bad Request

    Server: awselb/2.0

    Date: Tue, 20 Oct 2020 13:36:00 GMT

    Content-Type: text/html

    Content-Length: 122

    Connection: close

     

    <html>

    <head><title>400 Bad Request</title></head>

    <body>

    <center><h1>400 Bad Request</h1></center>

    </body>

    </html>

    read:errno=0

    XG135w_XN02_SFOS 18.0.1 MR-1-Build396# wget -O /dev/null utm.cloud.sophos.com

    --2020-10-20 09:36:47--  http://utm.cloud.sophos.com/

    Resolving utm.cloud.sophos.com... 54.77.40.69, 52.214.208.237, 63.35.127.231

    Connecting to utm.cloud.sophos.com|54.77.40.69|:80... connected.

    HTTP request sent, awaiting response... 301 Moved Permanently

    Location: utm.cloud.sophos.com:443/ [following]

    --2020-10-20 09:36:51--  https://utm.cloud.sophos.com/

    Connecting to utm.cloud.sophos.com|54.77.40.69|:443... connected.

    HTTP request sent, awaiting response... 302

    Location: /login [following]

    --2020-10-20 09:36:51--  utm.cloud.sophos.com/login

    Reusing existing connection to utm.cloud.sophos.com:443.

    HTTP request sent, awaiting response... 302

    Location: /manage/login [following]

    --2020-10-20 09:36:52--  utm.cloud.sophos.com/.../login

    Reusing existing connection to utm.cloud.sophos.com:443.

    HTTP request sent, awaiting response... 200

    Length: unspecified [text/html]

    Saving to: '/dev/null'

     

    /dev/null                            [ <=>                                                       ]  14.29K  --.-KB/s    in 0.1s   

     

    2020-10-20 09:36:52 (110 KB/s) - '/dev/null' saved [14637]