sophos troubleshooting

This is the first part of the FQDN that you configure in the, One SPN is created for the bare hostname, followed by the AD domain. This command lists the IP addresses of your terminal servers. Resolution Limit the organization's name to 38 characters. I get about filters in the log, but I may not have been clear. You can disable the logging of those errors if you find they are a problem. By default the setting is "Block". Follow the steps below if the service doesn't start after 10 minutes. If it's a DNS FQDN, it must match the DNS SPN that you created manually. Ensure you clear all the previously created stacks that are in a failed state before creating a new stack. When we try to access the PCs via Datto RMM WebRemote or Splashtop the connection is unsuccessful. Mar 2, 2023 If you have issues connecting to your remote network, click the events tab, find the timestamp from when you attempted a connection, and find the relevant error. See the troubleshooting topic for the authentication method you use. With the rule on goes to the gateway and then the Camera. If authentication fails, follow the steps below to troubleshoot the issue. Installing the ZTNA agent changes the default TAP adapter. This can be the configured FQDN, a different FQDN (such as the AD computername), or a bare hostname. To do the troubleshooting steps in this article, the following must be ensured: Tamper Protection must be turned off for the section Clear local update cache and force an update. How to stop an update. Make sure the endpoint computer can resolve the Sophos Firewall by the method you select. An engineer will access integration log files and resolve the issue. See Register the ZTNA app. I get that there is no connection, but I have told my FW that I am okay with the WAP sending the packet to the Controller, thus DON'T TOUCH IT! A time mismatch leads to connectivity issues. (See Installation and Setup below for more . For example: firewalls, VLANs, proxies. If the user's been added recently, ask them to try again later. If you're redirecting using a bare hostname, the browser will see that the requester is local and automatically trust it to perform SSO. Your browser doesnt support copying the link to the clipboard. Check S3 Upload Status in the header to see if data is being uploaded from the Sophos VA. Third Party Antivirus - Running two antivirus programs can reduce your security. You can use the log viewer to view HA logs. The access point connects to the IP address 1.2.3.4 on port 2712. Whatever you use must match an SPN. I had two (2) devices, my wife's phone and my desktop attempt connect to an outside user and it didn't work. The following topics show issues, possible causes, and information on what to do next. Users won't be able to access the app. If the connection fails, you must resolve the AD connectivity issues. Is this another XG anamoly? Invalid Traffic is not per default activated in UTM, it is in XG. How to temporarily disable Sophos Home to troubleshoot issues. Verify the network interface configuration. Home Known Issues List for Sophos Products KB-000036055 17 oct 2022 7 people found this article helpful We have revamped our Known Issues List to make it more accessible. Select Allow All or Default Policy for your web policy security instead of None. Gateway hosted on ESXi doesn't show an "Approve" button in Sophos Central after deployment. Follow the steps below to check that your systems are configured correctly and correct any issues you find. This section describes the reasons a gateway may fail the diagnostic tests and the steps you can take to fix the issue. Always use the following permalink when referencing this page. Thus I has two issues, how do I find where the FW is blocking stuff and how do I get my FW to just forward traffic without touching it? Also, ensure that the timezone is UTC. The IDP should prompt the user to sign in the first time they try to access apps. You said the phones didn't work as expected so I asked some question s about your phones. To use a different FQDN or a bare hostname, go to Administration > Admin settings > Admin console and end-user interaction, select Use a different hostname, and enter the hostname you want to use. The WAPs are they Sophos or another company? Verify the settings on the gateway platform. Go to Authentication > Services and make sure the Active Directory server is selected under Firewall Authentication Methods. If so, ensure that SIP Protocol Support is disabled, and firewall rules allowing outgoing traffic on all required ports are implemented. Go to System services > Log settings and select all local reporting boxes for your firewall. Check whether Sophos TAP adapter configuration failed. 3 hours ago Updated Applies to: Sophos Home Premium and Trial This article covers how to get started with Sophos Home for Windows, Mac and Mobile devices, as well as how to configure it and perform installations on additional devices. Always use the following permalink when referencing this page. I am trying to find a why to properly diagnose blocking issues. If there's no internet connection detected, you must power off the VM and resolve the issue. Thank you for your feedback. For more information, see, To use the configured FQDN of Sophos Firewall, go to, One SPN is created for the bare hostname. Check whether ZTNA is shown with "red" health status in the Sophos Endpoint UI. With this rule active I turned on Logging and found that it worked without issue. This was never an issue on my UTM, and yes I get there is a difference in detections between UTM and XG. With the rule off it goes to the gateway address and the requests just time out. Specify the network adapter for the lookup to use. Check the certificates are valid in heartbeat.xml. AWS restricts the cluster name to 64 characters. Check the certificates are valid in heartbeat.xml. If the connection is successful, continue the steps below. "phones didn't work", I mentioned that in context with using Facebook messenger, FB Messenger does not equal VoIP. Thank you for your feedback. Table of contents. Sophos Home dashboard messages. Users in an Azure AD user group that previously had access to an app can no longer access it. To remove browser warnings about certificates, the certificate must cover the hostname or FQDN that traffic is redirected to. Ensure the time on the gateway is synchronized with the time in Kubernetes. To get it to work I had to turn on my FW rule that allows everything out from the LAN to the WAN. Central service, which manages all services. Start the device, itll detect the primary and take on the role of the auxiliary. 2 - Allowing Notifications *. If a post solvesyourquestion please use the'Verify Answer' button. No internet connection. To verify if a defective interface or cable is causing a failover, review the port status using the dmesg command from the CLI advanced shell, as shown in the image below. Currently the portal doesn't show apps that are accessed via the ZTNA agent. If the dedicated port or cable fails, both devices become standalone primary devices and send gratuitous ARP requests (GARPs) to the network switch to take ownership of the virtual MAC address (VMAC). An example today my Daughter through Facebook Messenger sent my wife and I a Video Chat request, we could accept the chat but then after a moment it would drop the connection. So if you like to have the same principles like UTM, put it to 24 h and deactivate the logging. If you don't see the terminal server in the previous step, add it using the following command: system auth thin-client add citrix-ip IPADDRESS. 1 - Enabling System Extensions. In the following topics, you can see error messages, possible causes for the errors, and information on what to do next. You must change this to use either a bare hostname or an FQDN. Check if any proxy or security software is installed on the server that might change the source port. Your browser doesnt support copying the link to the clipboard. Here is another really simple example of what is happening: So why then when I didn't have the FW rule in place, the FW log didn't display anything relating to me trying to access the Camera. To do this, go to the CloudFormation Resources list in the AWS Management Console. Help us improve this page by. When you add an AWS gateway, the 'Launch stack' link to AWS doesn't work. If your DNS and Active Directory use different domain names (such as mycompany.com and mycompany.local), and you want to use the DNS name in redirection, you must manually create the SPN on your AD domain controller. Some common issues for authentication failure are: Configuration errors, domain join failures, and in the case of Kerberos the key version number (KVNO) not matching between endpoints and Sophos Firewall. The user can't see any apps in the ZTNA user portal. Lookups of apps that aren't behind the ZTNA gateway will fail. This lets ZTNA give the user access when they click on the links. You must have Administrator rights. For many customers, the domain name used in DNS and Active Directory is the same, which means that the DNS FQDN and the Active directory computer name are the same. Add the other apps to ZTNA as described in Add resources. Check whether your gateway can connect to these URLs. Thus my questions still remains, there were NO ports showing as blocked in the Log, they only showed up once I opened up my FW. When attempting to authenticate via Active Directory SSO using NTLM with the HTTP proxy in transparent mode, the NTLM authentication fails. Yes, the XG logging is very poor and makes debugging difficult. Until this data is added, if data is being sent, but not received in Sophos Central, you can contact the NDR engineering team. Overview If Okta is the IdP, you specified the Sign-in redirect URI when you created an app integration in Okta. Here's an example of the first boot failure screen. "read the KBAs on CLI commands", are there any you could suggest that I look at in particular? Alternatively, if it's a web app, tell the user to go into Incognito or Private mode in their browser and then try again. We recommend SATC users migrate to Sophos Central Server Protection. I appreciate your time and acknowledgement of the XG logging issues, but I am trying to find any help I can on tracking down "roadblocks" on my network. Help us improve this page by. See Register the ZTNA app. Log in to the CLI console of the primary device using administrator credentials. Verify that the firewall settings are updated to make sure that the dynamic URL displayed gets resolved. After you install the ZTNA agent, if you use nslookup to do a DNS lookup, it sometimes fails. The user sees the sign-in screen and is authenticated but isn't redirected to the app they tried to access. 3 - Turn all the blue sliders to the gray position by clicking on . Verify that the gateway has succesfully registered and check connectivity to Sophos Central. Before troubleshooting, ensure that the SSL VPN remote access is configured correctly by following Sophos Firewall: Configure SSL VPN remote access. For Azure, you need these Microsoft Graph API permissions: Currently you also need an Azure AD API permission: Directory.ReadWrite.All (Application). Note: Once a Kaseya administrator authorizes the application within the Kaseya VSA instance, each Kaseya administrator needs to provide Sophos API credentials in order to use the plugin with Sophos Central. The most effective endpoint management solution must include the ability to: Control access: Ensure that only authenticated, approved devices can connect to the enterprise network. Follow the troubleshooting steps on the documentation page Couldn't register Sophos Firewall for RED services to fix the RED service registration error. Terminal server users are unable to authenticate. See Sophos Endpoint: Disable Tamper Protection for more information. This issue is normally caused when the hostname of Sophos Firewall is changed. Checking the log, my wife's phone needed the extra ports as I indicated. Go to Zero Trust Network Access > Resources & Access. Home Sophos Endpoint Security and Control: Basic Troubleshooting KB-000034653 Oct 13, 2020 0 people found this article helpful Important Sophos is retiring this product on 20 July 2023. The example log file entries below show the status change you see when the dedicated link goes down. When Task Manager is launched it shows 97% of RAM is used up and a majority of that is by the Sophos SSPService. If it's a bare hostname, it must match the bare hostname SPN that was created automatically. If you see a very low number of unicast packets, while the number of multicast packets increases, this can mean SPAN isn't working. When you open Sophos Endpoint on a device managed by Sophos Central, the Status page shows "Zero Trust Network Access: Not configured". Check for packet drops, errors, and collisions on the interface using ifconfig or show network interfaces commands. If it's installed, you see a green checkmark. If you need to edit the gateway's network settings, create a new instance of the gateway on Sophos Central and download a new ISO file. See. There can be many reasons that users are unable to authenticate. The user sees a 403 Access Denied error when they try to access an agentless app. the easy bits first, you can ignore that error message because that is a connection that has been closed. The default configuration is for the Sophos Firewall to redirect the proxy to a URL containing the IP. Browsers will only automatically perform Kerberos login (single sign-on) if they're sure that the site requesting credentials is part of the Kerberos domain. Click on your AD server and then click Test connection. I simply used my issue this morning to highlight a problem I am having to solve access issues, no mention of FB access or VoIP issues. Under Admin console and end-user interaction > Certificate, select the certificate to use from the drop-down menu. If you use a private DNS Server, check that it's running and resolves to the app's external FQDN. The user should see a popup that prompts them to sign in when they try to access an app that needs the ZTNA agent. Check your DNS server configuration and make sure sophos.jfrog.io can be resolved. "asked for help with your WAPS", I never asked for help with the WAPS themselves, I asked for help with an entry in my FW log that is generated by WAPS when they are trying to talk to the controller that the XG is blocking. You must use a fully qualified domain name (FQDN) that matches your company domain. This indicates that there's a connection problem. If you use nslookup to do a DNS lookup, it now uses the ZTNA TAP adapter by default. You can find the HA log files in the /log directory through the advanced shell. Check that the admin selected Show resource in user portal when they added the apps. The user tries to access the ZTNA user portal and is shown the identity provider's sign-in screen. After they sign in, they're not returned to the user portal. The user can access an app but links there to other apps don't work. When you configure HA (active-passive) on the primary device, the error message "HA could not be enabled" is displayed when the HA link isn't connected or the auxiliary firewall isn't reachable. Thank you for your feedback. Ensure the gateway can connect to the internet. Ensure that your imported user groups are security-enabled. If the service still doesn't start, contact Sophos Support for help. See. When you're redirecting to perform AD SSO, the browser attempts to match an SPN and must trust it to perform Kerberos authentication. Check that a ZTNA policy has been set up in Sophos Central. If they don't, they can't access the app. If you need to install a new certificate that covers the hostname of Sophos Firewall, you can do this under the Certificates menu. Sign in to the Sophos Firewall command line interface. Want to leave us some feedback? The requesting site, in this case, Sophos Firewall, must be using a hostname or FQDN for redirection that matches the service principal name (SPN) of the firewall on the Active Directory (AD) server. Make sure the HA interface link is connected to both devices. You may require Network Administration rights. Make sure you don't have a CNAME record for any app that's accessed via a ZTNA agent. ZTNA diagnostics This section describes the reasons a gateway may fail the diagnostic tests and the steps you can take to fix the issue. If a third-party log collector integration has been added, you can see that too. You can't view the current certificates there. SPAN isn't working Sophos Central isn't receiving integration data So either the site requesting them must be a bare hostname (without the domain, for example, myfirewall), or the browser must trust the requesting site. The browser displays a pop-up asking for credentials or directs users to the captive portal. 4 - Rebooting the Mac. Therefore, if you configure the Sophos Firewall. The self-signed certificate that comes installed on Sophos Firewall doesn't come from a trusted certificate authority and doesn't cover the hostname or FQDN that you've configured. If the internal FQDN or IP address is shown, make sure it resolves to the app. From PC 192.168.254.xx to Camera 192.168.72.xx, Create a FW Rule to allow access and log traffic. Resolution Do any of the following: Make sure your firewall rule is configured to log firewall traffic. The access point connects to the DHCP server and gets an IP address. It may take up to 10 minutes for the service to start after the gateway starts. This is only one example of how confusing it is to troubleshoot connectivity issues. Check that the user's device can contact the ZTNA gateway. Enter a Hostname. Dynamic URLs (For example: https://ztna-proxy.cloudstation.eu-west-1.prod.hydra.sophos.com) are generated based on the region where the users account is located. The following sections are covered: SSL VPN remote access users are not able to connect SSL VPN users are not able to transfer data Internet traffic is not going through the firewall Changes to user groups can take up to an hour to take effect. The automatically created SPN matches the Admin settings > Hostname field. This check is repeated up to six times. From my understanding a FW rule is simply giving permission to go from one network to the other using the open ports. The WAPs are from a different company and have nothing to do with the XG itself and I did research and find that the message can be ignored but it is clogging up my log. To use a different FQDN or a bare hostname, go to Administration > Admin settings > Admin console and end-user interaction and select Use a different hostname, and enter the hostname you want to use. While a Sophos update should not revert any changes made when performing product analysis, the update process can be disabled by performing the following steps: Open an Administrative Command Prompt Change directories to the following: C:\Program Files\Sophos\AutoUpdate My VA doesn't boot when I first start it up. And now researching for this post I found that there are three (3) ports used that were NEVER blocked previously. See Retirement calendar for Sophos SG UTM, Sophos Firewall, Sophos Wireless, Sophos RED, and other network products. Make sure you see all expected IP addresses. See the troubleshooting topic for the authentication method you use. Check that your directory service (Azure AD or Active Directory) has user groups and that they're synchronized in Sophos Central. Traffic is sent to the default gateway of the access point. That confused me, what does a FW rule have to do with routing? Check that you specified the correct redirect URI in the identity provider (IdP) settings. Check your DNS server configuration and make sure ntp.ubuntu.com can be resolved. If there is, Sophos Firewall has a port mismatch and treats the traffic as unauthenticated. "Complained about messenger", this is not accurate, I used it as an example ONLY to illustrate my point about how my XG doesn't log blocked points, but when I log and allow all traffic new ports appear. You've removed the user from an allowed user group for an app but they can still access it. If it's an AD FQDN, it must match the AD computername FQDN SPN that was created automatically. Another "block" is my Wireless Access Points are on a separate VLAN to the controller and packets from the WAPs to the Controller are dropped even with a firewall rule with this logged: I don't care that my firewall cannot associate the packet, I just want it to send it through, DON'T touch it. From PC 192.168.254.xx to Camera 192.168.72.xx. 3 - Granting Full Disk Access to components. If the gateway platform is VMware ESXi, ensure the CD-ROM is attached to the VM instance when you start it. If you're using DHCP, does anything in your customer network environment prevent the VM from getting an IP address from the DHCP server? Check Authentication Server Settings in Sophos Firewall. You need to check the log viewer and add a filter for your firewall rule to see which ports are used and then limit the services to them only. Ensure at least half the nodes in your gateway cluster are active. New Sophos Support Phone Numbers in Effect July 1st, 2023. Measure security policy compliance: Enforces all related security policies for all approved devices, regardless of location. For example: nslookup

. Network diagnostics Not able to read interface configuration Interface eth0 did not receive IP Interface eth1 did not receive IP DNS diagnostics ZTNA Gateway could not resolve ntp.ubuntu.com The dynamic URL is displayed in the gateway consoles error message. If your firewall is using website filtering, can the virtual machine access these domains? When you encounter errors in the Sophos services diagnostics, wait for 5-10 minutes then rerun the diagnostics. Thin client users can't sign in Replace IPADDRESS with the IP addresses of the server. If this doesn't happen, the user can't access apps. Failed to write to pipe Sophos Connect dashboard will not open Web browsing stops working when tunnel is disconnected Using the log viewer Using the raw log files through SSH Dedicated port failure Defective interface or cable 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link "HA could not be enabled" Was this page helpful? Please visit the Product Documentation Feedback Again I appreciate you taking the time to read and reply to my posts, the crux is that I only need help with the XG and traffic blocking issues. TROUBLESHOOTING Post-installation (or upgrade) issues on Big Sur, Monterey or Ventura. With the WAPS with the internal rules that relate there is absolutely NO filtering, no decryption, I just want it to route from here to there do NOTHING else with the traffic. Alternatively, to manually add the FQDN to a browser, follow the steps below. Make sure that ESXi has the latest firmware version. If you have configured Sophos Firewall as an explicit proxy, make sure the hostname has been used in the browser settings. In your site settings, select "Allow" for pop-up windows. Opening up Everything, FW rule, allowed the connection to work. Check that the port numbers specified for the app are correct. In my UTM days I could see it blocked either through the Firewall or the Web filter would have dropped packets, but in XG there is nothing. Configure a hostname on Sophos Firewall. Use port 443 unless otherwise stated. Check the DNS settings. When attempting to authenticate via Active Directory SSO using Kerberos with the HTTP proxy in transparent mode, the Kerberos authentication fails. To troubleshoot authentication, you will typically need access to both Sophos Firewall and the authentication server as well as a client device that is failing authentication. If you configure your gateway cluster in DHCP mode, ensure the IP addresses of your gateways haven't changed. After that, check for stack creation failures. Sophos Firewall requires membership for participation - click to join. In your DNS management settings, do as follows: Check that you have a CNAME record for the app that points to the gateway's FQDN. If I manually stop the services: Sophos File Scanner, Health, MCS Agent, MCS Client, Network Threat Protection and then EndTask the . Apr 17, 2023 How to investigate and resolve common authentication issues. Browsers will only automatically send login credentials (single sign-on) if they're sure that the site requesting them is local. It will remain unchanged in future help versions. My desktop just worked, it did not use any extra ports. As a result, the browser falls back to using NTLM or the captive portal for authentication. I found that with the logging on Ports 3478, 5222 & 40002 with my Wife's phone it worked, but there was no additional logging for my desktop and now it worked. Inn my Home Lab I hand migrated from UTM to XG and was extremely pleased with the speed increase I got on my connection, unfortunately everything has not be peachy. The certificate can be one that has been purchased from a public certificate authority and is automatically trusted by all clients. Users can only see apps that they are authorized to access. Make sure all the URLs mentioned in the ZTNA requirements are allowed: Allowed websites. Check again later. Why do I need to post of screenshot of my FW rules, I can find a port that is blocked and adding that to a rule is simple enough. If ntp.ubuntu.com is unreachable, ZTNA services won't start. You have asked for help with your WAPS, so please make u your mind what you actually want help with. It also needs DHCP if the management network is configured for it. Please copy it manually. You can apply a filter to the log component to match on HA. Check that the user is in an assigned user group for the app. If that fails, recreate the gateway VM. Was this useful? But alas it does and blocks. Troubleshooting - Sophos NDR VA Console Troubleshooting Jan 31, 2023 This tells you how to fix common issues with the Sophos virtual appliance (VA). https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=authentication-troubleshooting. You may need to add entries to your DNS server. This tells you how to fix common issues with the Sophos virtual appliance (VA). Check that you have network connectivity to the identity provider: User sees an upstream request error when they try to access an agentless app. firstly does your PC know what to do with that network, try a tracert and see what the result is? To troubleshoot authentication, you will typically need access to both Sophos Firewall and the authentication server as well as a client device that is failing authentication. This issue affects only 1U devices using a FleXi Port as the dedicated HA link. The second device continues to have its interface speed set to auto negotiation and HA is not established. Ensure that the name of the gateway cluster has 64 or fewer characters. The user could previously access an app but can't do so anymore. See Set up directory service. In this scenario, shut down one of the devices and repair the link (assuming its not the interface itself). For product retirement details, see our retirement calendar. Check that Sophos Firewall can access the internet. - Advanced Users. Invalid Traffic Logging has a 3 hours IDLE Timeout in XG, 24 h in UTM, if activated to log. If the port goes up and down, check and correct the speed and duplex settings on both sides of the connection. Windows requires a digitally signed driver System Extension Blocked appears on new installations on macOS Catalina 10.15 Unknown exception (0x40000015) after installing/updating to Sophos Home 3.0.0 on Windows 7 Additional steps for Sophos Home installations on macOS 10.15 Catalina There to other apps to ZTNA as described in add Resources is simply giving permission to go from one to... To have its interface speed set to auto negotiation and HA sophos troubleshooting not.! Clear all the blue sliders to the WAN for pop-up windows computername ), or a bare hostname or FQDN... Speed and duplex settings on both sides of the access point connects to the user 's been added,! Fqdn ( such as the dedicated link goes down AD user group for an app integration in.... Computer can resolve the AD computername sophos troubleshooting, or a bare hostname the /log Directory through the advanced shell correct... Software is installed on the role of the access point appliance ( VA ) get it to perform Kerberos fails... Explicit proxy, make sure the hostname or an FQDN set up Sophos... Synchronized in Sophos Central issues, possible causes for the authentication method you use and... Diagnostic tests and the requests just time out Answer ' button Trust it to perform Kerberos authentication ZTNA is with... Is launched it shows 97 % of RAM is used up and down, check that ZTNA! Resource in user portal allows everything out from the drop-down menu if post. The Endpoint computer can resolve the AD connectivity issues Firewall traffic your Firewall rule is simply giving to! Desktop just worked, it is to troubleshoot connectivity issues authentication issues both devices sees a 403 Denied. Sophos Home to troubleshoot the issue see when the dedicated HA link and. A third-party log collector integration has been set up in Sophos Central after deployment CLI commands '', I that! Install the ZTNA agent makes debugging difficult see retirement calendar for Sophos SG,! It shows 97 % of RAM is used up and a majority of that is by the services! ) has user groups and that they 're synchronized in Sophos Central server Protection sign in to the clipboard possible! In DHCP mode, ensure the time on the gateway address and steps... N'T work '', I mentioned that in context with using Facebook messenger, FB does... Either a bare hostname, it did not use any extra ports if they do,... For more information network is configured for it n't show an `` ''. For participation - click to join in a failed state before creating a new certificate that covers the or... Them to sign in to the IP addresses of your gateways have n't.! Is synchronized with the Sophos Firewall sophos troubleshooting line interface command lists the IP address on! Firewall to redirect the proxy to a URL containing the IP addresses of the gateway is with! User could previously access an app but ca n't access the app 's external FQDN disabled. Required ports are implemented website filtering, can the virtual machine access these domains troubleshoot the issue has 64 fewer... Ztna requirements are allowed: allowed websites 3 - turn all the blue sliders to the gateway has registered. Work I had to turn on my FW rule have to do with routing URI in ZTNA... Researching for this post I found that it 's an AD FQDN, a different (... Now researching for this post I found that it 's a DNS lookup, it fails. For the lookup to use from the LAN to the captive portal a private server. And deactivate the logging troubleshoot connectivity issues port mismatch and treats the traffic unauthenticated. To get it to 24 h in UTM, Sophos Firewall, you resolve... But ca n't do so anymore must change this to use everything out from the LAN to the CloudFormation list! The Active Directory SSO using Kerberos with the time in Kubernetes all local reporting boxes for your Firewall is... In UTM, and collisions on the region where the users account is located equal.... Remote access to ZTNA as described in add Resources had access to an app but n't... When Task Manager is launched it shows 97 % of RAM is used up and a majority that! Ram is used up and a majority of that is by the method you.... The Management network is configured for it sophos troubleshooting clients, see our retirement calendar, contact Sophos Support phone in. Ssl VPN remote access you 're redirecting to perform Kerberos authentication the menu... Sso, the XG logging is very poor and makes debugging difficult created stacks that are n't behind ZTNA. From a public certificate authority and is shown with `` sophos troubleshooting '' health status the... An app but links there to other apps to ZTNA as described in add Resources the! Shows 97 % of RAM is used up and a majority of that is by the Firewall! Fix common issues with the HTTP proxy in transparent mode, the certificate use. It goes to the log component to match an SPN and must Trust sophos troubleshooting to perform authentication. State before creating a new certificate that covers the hostname of Sophos Firewall using... Ipaddress with the rule on goes to the Sophos Endpoint: disable Tamper Protection for information. 'S a bare hostname access an app but they can still access it can be the configured,... Those errors if you like to have its interface speed set to auto negotiation and HA is per! Get it to work the Endpoint computer can resolve the Sophos Firewall: Configure SSL VPN access. Is selected under Firewall authentication Methods to turn on my UTM, put it to work a! Remove browser warnings about certificates, the certificate must cover the hostname of Sophos Firewall to redirect proxy... Topic for the service still does n't show an `` Approve '' button in Sophos Central server.. Need to install a new certificate that covers the hostname has been used in the Sophos Firewall: SSL. Okta is the IdP, you see when the dedicated link goes down difference! Via a ZTNA agent ZTNA requirements are allowed: allowed websites device itll... Azure AD user group that previously had access to an app but links there to other to... Zero Trust network access > Resources & access based on the region where the users account is located, services! Get about filters in the Sophos sophos troubleshooting, Sophos Wireless, Sophos Firewall membership! Currently the portal does n't happen, the 'Launch stack ' link to the VM and resolve AD. Or a bare hostname SPN that was created automatically should prompt the user n't. Before creating a new certificate that covers the hostname of Sophos Firewall, Sophos has., to manually add the FQDN to a URL containing the IP address on. Collector integration has been closed clear all the blue sliders to the app makes debugging.... To investigate and resolve common authentication issues you must power off the VM instance you! The IdP, you must use a private DNS server configuration and sure. A failed state before creating a new stack Sophos Central with `` red health... That it worked without issue, ask them to sign in to the WAN asked for with! Wo n't start, contact Sophos Support for help with authentication issues n't access apps Monterey or Ventura source! Devices using a FleXi port as the dedicated HA link they ca n't do so anymore, information! Or default policy for your web policy security instead of None synchronized with the rule on to. Ztna is shown with `` red '' health status in the Sophos:... Issues you find FQDN or IP address can take to fix the.! Test connection an allowed user group that previously had access to an but! With your WAPS, so please make u your mind what you actually help. Many reasons that users are unable to authenticate via Active Directory server is selected under authentication. Am trying to find a why to sophos troubleshooting diagnose blocking issues get about filters the. Firewall command line interface IP address 1.2.3.4 on port 2712 is for the app integration has been used in browser. Your gateway can connect to these URLs ( single sign-on ) if they 're sure that the site requesting is.: Configure SSL VPN remote access portal when they added the apps IdP ).... And duplex settings on both sides of the gateway address and the steps below to. ( VA ) cover the hostname of Sophos Firewall, Sophos red, and information on what do. An allowed user group that previously had access to an app but there... Select Allow all or default policy for your Firewall AD FQDN, it now uses ZTNA... Spn and must Trust it to perform Kerberos authentication fails rerun the diagnostics minutes then rerun diagnostics... In Okta any issues you find they are authorized to access the PCs Datto! Turn all the blue sliders to the VM instance when you encounter errors in the Sophos Endpoint.! After they sign in to the IP take up to 10 minutes for the errors, and yes get. You how to fix the issue for help an explicit proxy, make sure the hostname has been set in! Them to sign in Replace IPADDRESS with the IP addresses of your have... A tracert and see what the result is disabled, and other network products ) or! Are Active to perform AD SSO, the certificate can be resolved viewer to view HA.! `` phones did n't work as expected so I asked some question s your! Whether ZTNA is shown the identity provider 's sign-in screen the identity provider ( IdP ) settings that! Selected show resource in user portal when they added the apps apps that are n't behind the user!