Simply plug the Slave device and it will fetch the configurations detail from the Master. Thanks
↧
Forum Post: RE: How to configure HA on UTM SG105
↧
Forum Post: Geo-Fencing Multiple Policy
Hi Guys. How can assign a multiple profile on device. if device is out of the office(Geofencing) assign a profile "sample 1" or if device is in the office (Geofencing) assign a profile "sample2". is it possible?
↧
↧
Forum Post: RE: Unable to scan from AIO Printers after XG 85 added to network
Looks like traffic from the AIO Printer @ 192.168.4.221 (Source) sending to PC @ 192.168.4.15 (Destination) is matching only Rule 1 at any point. I have temporarily disabled “ScanHTTP” and the IPS policy to run the following Packet Capture. I ran a packet capture from AIO @ 192.168.4.221 to PC @ 192.168.4.15 with 2 Violations showing (Both showing the same details): 2018-03-05 15:58:43 Port2 Port1 IPv4 192.168.4.221 192.168.4.15 UDP 48785,54925 0 Violation Firewall Packet Information Ethernet Header Source MAC Address:00:80:92:8a:54:ff Destination MAC Address: bc:30:5b:be:c5:aa Ethernet Type IPv4 (0x800) IPv4 Header Source IP Address:192.168.4.221 Destination IP Address:192.168.4.15 Protocol: UDP Header:20 Bytes Type of Service: 0 Total Length: 148 Bytes Identification:5814 Fragment Offset:0 Time to Live: 64 Checksum: 55654 UDP Header: Source Port:48785 Destination Port: 54925 Length: 128 Checksum: 33703 Hex & ASCII Detail 0x0000: 4500 0094 16b6 0000 4011 d966 c0a8 04dd E.......@..f .... 0x0010: c0a8 040f be91 d68d 0080 83a7 0200 7430 ..............t0 0x0020: 5459 5045 3d42 523b 4255 5454 4f4e 3d53 TYPE=BR;BUTTON=S 0x0030: 4341 4e3b 5553 4552 3d22 4a55 4459 2d50 CAN;USER="JUDY-P 0x0040: 4322 3b46 554e 433d 4649 4c45 3b48 4f53 C";FUNC=FILE;HOS 0x0050: 543d 3139 322e 3136 382e 342e 3135 3a35 T=192.168.4.15:5 0x0060: 3439 3235 3b41 5050 4e55 4d3d 353b 5031 4925;APPNUM=5;P1 0x0070: 3d30 3b50 323d 303b 5033 3d30 3b50 343d =0;P2=0;P3=0;P4= 0x0080: 303b 5245 4749 443d 3431 3935 323b 5345 0;REGID=41952;SE 0x0090: 513d 373b Q=7; Scan from AIO to PC is still a NO Go. However, as long as the scan is initiated form the PC the scan works. I did have to take 1 AIO/PC and switch it over to a USB connection to meet User needs today and for some reason that involved me having to reinstall the Printer Software/Drivers which seems odd but was the only solution I could come with.
↧
Forum Post: RE: Some Sophos services are not running/missing
Thanks for sharing, Mike. Knowing that the .msi is available in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ is valuable. It's value diminishes somewhat when there are dozens or more machines having the issue around the enterprise, in office and in remote locations with limited connectivity. I would be more interested and encouraged had Simon relayed the findings back to the engineering teams to build better redundancy and more robust latency checks so that this problem was more likely to resolve itself without manual intervention. Perhaps he did... ?
↧
Forum Post: RE: Some Sophos services are not running/missing
Do you really think the programmers are going to listen to someone at the helpdesk when all of Sophos ignores their customers?
↧
↧
Forum Post: VPN SSL UTM9 to Mikrotik
How to make VPN SSL(щк IPSEC RSA) connection between UTM9 to Mikrotik ?
↧
Forum Post: RE: Windows 10 updates are blocked. cant install 1703
hey. ok we have the update now to: SFVUNL (SFOS 17.0.5 MR-5) i testet, but: cant download this or that: 2018-02 Cumulative...... 2018-01 Cumulative Update for Windows 10 Version 1607 for x86-based Systems (KB4057142) Windows 10 Updates 26.01.2018 k.A. 632,2 MB After avoiding the Sophos XG in Network settings, updates went trough. need some fast help!
↧
Forum Post: SafeGuard BitLocker Encryption fails: BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM)
Good Afternoon I'm receiving an error when trying to configure Encryption on a HP Probook 450 G4 that is shown in the following KB: community.sophos.com/.../124400 The laptop is currently in Legacy mode running Windows 10 Pro. I've looked in TPM management and it's displaying the following: 'The TPM is ready for use, with reduced functionality, Information Flags: 0x80000' 'The TCG event log is empty or cannot be read' I've read up on the above KB and it states 'To enable BitLocker Drive Encryption with TPM and PIN on machines that are installed in legacy (BIOS) mode without re-installing the operating system, the security chip setting in the machines firmware needs to be changed from Intel PTT to Discrete TPM' I can't find this option within the BIOS of HP Probook 450 G4 anywhere, i'm not sure if it's entirely possible? I've managed to Encrypt a HP Probook 450 G3 with Legacy BIOS enabled with TPM and PIN authentication which is confusing me.. Thanks James
↧
Forum Post: RE: UTM Confusion
[quote user="ferozsyed"] understood. is there any way to set two different time set for single policy. i mean work time policy from 8 to 12 and 13 to 17. i can do this on xg but on utm i can define only one set time. [/quote] Yes there is. Assuming for a moment that you are using the default Filter Profile (under Web Protection\Web Filtering). Go to Web Protection\Web Filtering Policies tab. At the bottom is the "Base Policy". If you click on the "Default content filter action" this is where your category block/allow are all defined. The Base policy is used if no other policies match. Click the + on the Policies tab. You are now adding a policy, which you can apply to Users/Groups and Times. Under the Filter Action you can select an existing object or click + to add a new policy. Policies are evaluated top to bottom. The first policy that matches is used and the filter action applied. If you want to do two time sets you need to use two policy objects. But you can reuse the same filter action. In the UTM the object called "Policy" is a simple mapping of username/time to filter action.
↧
↧
Forum Post: RE: limit bandwidth usage
Hala Sherif and welcome to the UTM Community! I don't think you can define a time period different from a day (midnight to midnight, I think). In Web Protection you can set a quota per-user-per-day on a website or category of websites. In 'Quality of Service', you can define a Traffic Selector using more- or less-than a number of KB. That selector can then be used in a Bandwidth Pool or Download Throttling rule where you can select "Shared, Each source, Each destination or Each source/destination" address. It's difficult to know what to recommend without knowing what problem drove you to imagine this solution. Cheers - Bob
↧
Forum Post: RE: Creating different messages for different policies in UTM 9.5
Assuming for a moment you don't want to mess with how you do authentication, not really. You have some ability to modify the block message, but it would be the same for all blocks. Possibly you could do something with full customization, but you'd have to write the HTML yourself. Go to Management, Customization. Web Messages allows you to edit the main body text. The company text and Administrator info gets added to pages. Web Templates allow for a more full customization. See community.sophos.com/.../118958 and download the samples. Potentially you could do something here, but I think you might not have access to the username or whether they are authenticated or not. So you could change the message to something like: You do not have permission to access the URL: http://poker.com Either you are not logged in or you are not allowed to visit Gambling sites.
↧
Forum Post: RE: 'Single Event' Time Period Definition is off by Timezone offset
I haven't opened a case yet, I first wanted to see if anyone had ever heard of it, incase it was a simple fix. I'll probably open one up after I do the updates to 9.5, assuming that doesn't fix it. Thanks!
↧
Forum Post: I am not receiving the confirmation email.
Hey, I was working on downloading the free sophos anti virus, I need it in order to connect to my school VPN. However, after creating my account, I was told to verify through the confirmation email. I checked my spam, I checked my school email (no idea why it would link to that either) and I have tried to resend the confirmation email. I am wondering if it has anything to do with the computer I''m on. I just bought a new Mac with the high Sierra software. Any help is appreciated. Thanks
↧
↧
Forum Post: RE: Some Sophos services are not running/missing
[quote user="David Veatch"] Thanks for sharing, Mike. Knowing that the .msi is available in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ is valuable. It's value diminishes somewhat when there are dozens or more machines having the issue around the enterprise, in office and in remote locations with limited connectivity. I would be more interested and encouraged had Simon relayed the findings back to the engineering teams to build better redundancy and more robust latency checks so that this problem was more likely to resolve itself without manual intervention. Perhaps he did... ? [/quote] Each component/service that is part of the Sophos endpoint protection has it's own folder in there with the corresponding MSI/EXE. Simon said to always start with the AutoUpdate one as that is the key to the entire app working. I did not get an indication from Simon that he was passing on any info to the Sophos engineers about my issue. However, Simon did tell me they (Sophos) were having issues with their servers Friday through Sunday of the weekend I did my deployment (3/2-3/3). He felt that contributed to the latency and delays in those four endpoints getting the necessary components correctly installed and updated. Simon did say the latency issues they experienced are being investigated and work is being done to prevent that from happening again. This was a relief to me as I expected him to put the blame on the customer network or the endpoint for having network/internet performance issues that caused the latency.
↧
Forum Post: hostname does not match server name
Hallo, ich habe Seafile mit nginx auf einem realen Webserver installiert, als subdomain "cloud.company.com", lauscht an Port 80. Dort gibt es bereits "www.company.com", lauscht ebenfalls an Port 80. Für beide existiert je ein virtueller Webserver, wobei der für Seafile (unf nur der) über https nach extern kommunizieren soll. Die Host-Header werden durchgereicht. Der externe Aufruf der beiden Subdomains klappt jeweils einwandfrei. Sobald ich aber extern von Seafile eine Datei herunterladen will, wird das geblockt, weil: "hostname does not match server name" mit Verweis auf die www Subdomain. Hat es damit zu tun, dass beide an Port 80 lauschen? Aber warum wird nur der Download geblockt? Ist noch irgendwo ein Schalter, der das Blockieren unterbindet? Klärt mich bitte auf.
↧
Forum Post: RE: Unable to scan from AIO Printers after XG 85 added to network
Hey Jim Walls That packet capture showing the violation, looks to be for Port 2 (WAN) AIO Printer @ 192.168.4.221 (Source) to Port 1 (LAN) PC @ 192.168.4.15 (Destination) traffic. If I re-call correctly, you only had a LAN to WAN rule? This may be why your only able to Scan when the PC initiates (LAN to WAN). It seems that your AIO printer is configured in your Port 2 (WAN) zone, and the firewall is dropping this initiated traffic to Port 1 (LAN) due to a firewall rule not existing to allow this. Regards, FloSupport | Community Support Engineer
↧
Forum Post: RE: OSPF on Sophos XG 115 - not accepting auth type "none"
Hi Sam, Not quite sure if this is for me, but I am using the 17.0.5 MR-5, should be the latest version of SFOS. The whole env I am working with is a test lab, I got the other brand router that connected to XG310 to test the WAN port OSPF connection. Just hoping this would be helpful. Thanks, XP
↧
↧
Forum Post: RE: How to install Sophos AV in a virtual desktop environment - instant clones
Hello Joe Clarke , t he VM is starting in a state where windows has already booted start is automatic for the Sophos services but the question is when the image was taken. It should be when the mentioned keys and files aren't present and the two services stopped. As far as I understand the VMware docs a ClonePrep script can be used to start the services at provisioning time. Christian
↧
Forum Post: RE: BitLocker Could not be enabled. WIN10Pro Build 1709 SGN8
Hey Michael! Thank you so much for the quick response. You're absolutely right. After uninstalling the client, and reinstalling it without C/R, everything kicks off/functions perfectly. Thank you for pointing me in the right direction! At least from what I'm seeing, this appears to be specific to 1709 AND SysPrep AND C/R. It doesn't seem to be hardware specific. I've been able to clean build 1709 Dells and Lenovos, with C/R enabled (but not SysPrep'd), and everything works fine. Also, before 1709, I was using a SysPrep'd 1703 image, installing C/R (on the exact same models of Dells and Lenovos), and it also worked without issue. I don't expect you to have an answer for that. More just mentioning how oddly specific this issue appears to be. It's working without C/R though, and that's good enough for me. Thank you again! Derek
↧
Forum Post: Firewall Rule IDs and Descriptions
Somewhere, I found this grid that machines Firewall Rule IDs (from the Firewall and ATP logs) to a description, but I cannot remember where. After reviewing my log data, I realize that I am missing descriptions for at least these IDs: 1,12,17,18,60023,63001 (63001 is associated with ATP, not Firewall Rules.) Does anyone have the rest of the list? Here is what I have so far, in CSV format fwrule,IptablesChain,Description,Target 60001,filter:INPUT,Input Default Drop,LOGDROP 60002,filter:FORWARD,Forward Default Drop,LOGDROP 60003,fitler:OUTPUT,Output Default Drop,LOGDROP 60004,filter:AUTO_INPUT,Forbidden SSH connects,LOGDROP 60005,filter:AUTO_INPUT,Forbidden WebAdmin Contacts,LOGDROP 60006,filter:AUTO_INPUT,Allowed WebAdmin connects,LOGACCEPT 60007,filter:INVALID_PKT,Drop invalid packets,LOGDROP 60008,filter:SPOOF_DROP,Drop spoofed packets,LOGDROP 60009,NULLfilter:STRICT_TCP_STATE,Drop packets with suspicious tcp state,LOGDROP 60010,angle:PREROUTING,Log FTP data connections,LOG 60011,mangle:PREROUTING,NULLLog DNS requests,LOG 60012,raw:PREROUTING,Drop SYN_FLOOD attempts,LOG and DROP 60013,raw:PREROUTING,Drop UDP_FLOOD attempts,LOG and DROP 60014,raw:PREROUTING,Drop ICMP_FLOOD attempts,LOG and DROP 60015,mangle:PREROUTING,ICMP invalid pkt,LOG and DROP 60016,mangle:PREROUTING,ICMP Redirect,LOG 60017,filter:PSD_ACTION,Portscan detected,LOGDROP/LOGACCEPT 60018,mangle:FORWARD,SIP call,LOG 60019,mangle:SANITYCHECK,License Usage Exceeded (Active IPs),LOG and DROP 60020,mangle:FORWARD,H323 call,LOG 60021,"nat:USR_PRE, USR_POST or USR_OUTPUT",Connection using NAT,LOG Also, I am seeing these relationships between ITMIDs and FWRULEIDs. The data makes more sense when the two codes are seen together. For example, an IP blocked by Country Blocking hits firewall rule 60019. There is not really a licensing problem. Itmid,ItmName,itmfwrule,description 2001,Packet dropped,12, 2001,Packet dropped,60001,Input Default Drop 2001,Packet dropped,60005,Forbidden WebAdmin Contacts 2001,Packet dropped,60023, 2001,Packet dropped,60003,Output Default Drop 2002,Packet accepted,17, 2002,Packet accepted,18, 2003,Packet rejected,17, 2009,ICMP redirect,60016,ICMP Redirect 2017,AFC Alert,1, 2021,Packet dropped (GEOIP),60019,License Usage Exceeded (Active IPs) 2022,Packet dropped (ATP),63001,
↧