sophos central wireless · missing security heartbeat™ device is connected but the endpoint is...

Sophos Central Wireless

user guide

ContentsSetting up Sophos Central Wireless........................................................................................................1

About Sophos Central Wireless.................................................................................................... 1Purchase a Wireless license.........................................................................................................1Install an access point.................................................................................................................. 1Register an access point.............................................................................................................. 2

Dashboard................................................................................................................................................ 4Features.........................................................................................................................................4Wireless Dashboard...................................................................................................................... 4Firmware Settings..........................................................................................................................6

SSIDs........................................................................................................................................................7About SSIDs.................................................................................................................................. 7Security and quality-of-service settings.........................................................................................8Create an SSID with basic settings.............................................................................................. 9

Guest networks...................................................................................................................................... 11About guest networks..................................................................................................................11Creating a guest network............................................................................................................11

Hotspots..................................................................................................................................................13About captive portals and hotspots.............................................................................................13Creating hotspots with backend authentication.......................................................................... 14Creating hotspots with password schedule.................................................................................15Creating hotspots with vouchers.................................................................................................17

Sites........................................................................................................................................................20About sites...................................................................................................................................21Create sites................................................................................................................................. 22Create a floor plan...................................................................................................................... 22

Mesh networks....................................................................................................................................... 24About mesh networks..................................................................................................................24Create a mesh network...............................................................................................................25Mesh network not visible.............................................................................................................26Mesh network not usable............................................................................................................26Mesh access points missing from network................................................................................. 26

Alerts and diagnostics............................................................................................................................28Alerts............................................................................................................................................28Diagnostic and analysis settings.................................................................................................29Grant remote access...................................................................................................................29

Contact Sophos Support........................................................................................................................31Legal notices.......................................................................................................................................... 32

(2020/03/27)


1 Setting up Sophos Central WirelessTo manage your Sophos access points via Sophos Central, you need to have a Sophos Centralaccount with a Wireless license. You then need to install, register and configure your access points.

1.1 About Sophos Central WirelessTo be able to manage your Sophos access points via Sophos Central, you need to have a SophosCentral account with a Wireless license.

If you already have a Sophos Central Admin Account, you can start a Wireless trial directly from yourSophos Central Admin account. After that you can decide if you want to purchase a license.

Network requirements

To use any access point with Sophos Wireless, the access point must be able to communicate withSophos Central. Therefore, the following requirements must be met:

• DHCP and DNS server are configured to provide an IP address to the access point and answer itsDNS requests (IPv4 only).

• Access point can reach Sophos Central without requiring any VLAN to be configured on the AP forthis connection.

• Communication on ports 443, 123, and 80 to any Internet server is possible.

• No HTTPS proxy on the communication path.

1.2 Purchase a Wireless licenseIf you have a Sophos Central Admin account with a 30-day trial activated, Wireless is included.

You can purchase a license together with other Sophos Central products or as a single product.

1. Sign in to your Sophos Central Admin account.

2. Go to Explore Products.

3. Click Contact Partner to Buy and follow the steps provided.

1.3 Install an access pointThere are different kinds of Sophos access points.

Check the installation advice in the Operating Instructions.

Related informationOperating instructions

Copyright © Sophos Limited 1

https://www.sophos.com/en-us/support/documentation/sophos-access-point.aspx


1.4 Register an access pointRegistering an access point using the onboarding wizard.

Before registering an access point in Sophos Central, you have to meet the following requirements.

• You have a valid Wireless license in your Sophos Central account.

• Your Sophos access points are connected to a power supply.

• You have the serial number (S/N) ready. Find the S/N on the back of the AP or on the package ofthe access point.

To register an access point:

1. Log in to your Sophos Central account.

2. Select Wireless from the popup screen which appears when clicking on Wireless in the left menu.The onboarding wizard opens.

3. Follow the instructions of the wizard.

4. To register an access point, click Register.

• To register an access point, enter the serial number of the access point and then clickRegister. Access points are then validated and listed. Click Next.

• To register multiple access points, click Bulk Provisioning and upload a CSV file containingserial numbers in the first column. In the CSV file, each row has a unique serial number.Access points are then validated and listed. Click Next.

The Access Points page of the wizard is displayed.

5. Enter the hostname for the access point and click Save & Continue.

6. Once the access point shows as registered and saved, click Next.

The SSIDs page of the wizard is displayed.

7. Fill in the required information and click Save & continue.

You can now add one or more sites.

8. Activate the Sites toggle if you want to add a site.

9. Enter the required information and click Save & Continue.

The summary page displays the settings you've made.

2 Copyright © Sophos Limited


10. Verify the information and click Complete.



2 DashboardYou manage and protect your access points using the Sophos Central Wireless Dashboard.

2.1 FeaturesSophos Central Wireless provides features to manage and protect Sophos access points.

This guide provides information about the general Wireless settings you can make.

2.2 Wireless DashboardSee the most important information about your wireless environment at a glance.

Network Security

Click on the circles in the legend to include or exclude information from a graph.

You can see information on your access points.

Good Access point is up and working.

Issues Access point is up but has some problems.

Critical Access point is up but is in a critical state.

Offline Access point is offline.

Unconfigured Access point is up but isn't configured.

You can review threats.

Trusted Network that belongs to your account.

Untrusted Network that doesn't belong to your account.

Rogue Untrusted network that is connected to yoursecured wired access point network.

SSID Impersonate Network that spoofs the network name of youraccess point.

BSSID Impersonate Network that spoofs the hardware address ofyour access point.

Evil Twin Network that spoofs the network name and thehardware address of your access point.



Advanced Impersonate Network that spoofs the network name andunique protection code of your access point.

Adhoc A peer-to-peer network.

You can see the security status of your devices using Security Heartbeat.

Client at risk Active malware detected.

Client might be at risk Potentially unwanted application (PUA) orinactive malware detected.

Client is protected No malware detected.

Missing Security Heartbeat™ Device is connected but the endpoint is notsending heartbeat.

No Security Heartbeat™ Sophos Endpoint or Sophos Mobile Control isnot installed.

Device Profiles

You can view all, managed or unmanaged devices.

TipDevice type filtering is currently a beta feature. You must turn it on by clicking DeviceClassification and Visibility in Settings. You can then see the device profiles on this page.

Most Recent Alerts

• All: Shows all alerts.

• Warnings: Shows access points that are offline or not broadcasting.

• Info: Shows updates or information.

Click Details for more information.

Devices

Number of devices connected.


Usage Insight

Traffic generated by the wireless devices connected to access points.




2.3 Firmware SettingsOn Wireless > Settings you can look up your current firmware version.

Additionally, you can schedule when the system checks for new updates and installs them. Werecommend setting a time when no-one is using the network, as a firmware update causes a networkoutage of approximately five minutes.



3 SSIDsYou manage SSIDs through Sophos Central.

3.1 About SSIDsA Service Set Identifier (SSID) is a unique identifier which is attached to the header of packets that aresent over a Wireless LAN.

It differentiates one WLAN from another. Multiple access points within a network can use the sameSSID to broadcast the same network. You can also have multiple SSIDs on an access point. Thisallows you to have SSIDs with different bands or other configurations like separate guest networks ora mesh network.

SOS SSID

When an access point is disconnected or not able to reach Sophos Central, the access point will useits wireless capability to create an SOS SSID. When you connect to the SOS SSID with any mobiledevice you receive information about the current state of an access point which can help you debugthe connection issues to Sophos Central.

The SOS SSID is comprised of an open wireless network named "sos" and the access point’sMAC address. After you connected to the SOS SSID, open your web browser and go to http://debug.sophos. The SOS SSID debug page provides the technical support to fix the connectionissue, for example:

• Serial number and MAC address of the access point’s Ethernet interface

• Link status

• IP of the access points Ethernet interface

• Gateway, DNS server, and their reachability

• Reachability of Sophos Central URLs

NoteThe SOS SSID is available for a limited time frame of four minutes. After that, the access pointreboots and the SOS SSID is available again after one or two minutes. When you are connected toan SOS SSID, you have no access to the internet.

Related tasksCreate an SSIDCreate an SSID with basic settings (page 9)Related informationSecurity and quality-of-service settings (page 8)SSIDs can be secured and improved in terms of quality with some options in Sophos Central.

Creating and securing SSIDs



3.2 Security and quality-of-service settingsSSIDs can be secured and improved in terms of quality with some options in Sophos Central.

Security features

Hidden SSID: When hidden, the SSID is still available but users needs to know the name to connectdirectly. Even if an SSID is hidden, you can assign the SSID to an access point.

NoteThis is not a security feature. You still need to protect hidden SSIDs.

Client isolation: Clients within the same radio are not allowed to communicate with one another.This could be useful, for example in a guest or hotspot network.

MAC Filtering: Provides minimal security by restricting MAC address connections.

• Blocked List: All MAC addresses are allowed except the ones you enter in the MAC addressesfield.

• Allowed List: All MAC addresses are prohibited except the ones you enter in the MAC addressesfield.

Quality-of-service features

Multicast to unicast conversion: The access point converts multicast packets to unicast packetsindividually for each client based on the IGMP protocol. This approach is more powerful when fewclients are connected to one access point.

Unicast is preferred to multicast in most scenarios where media is streamed as it can operate athigher rates.

Proxy ARP: If activated, the AP can answer ARP queries for network addresses directly and theother clients do not need to take action.

Fast roaming: SSIDs with WPA2 encryption use the IEEE 802.11r standard to reduce roamingtimes (with enterprise authentication). It applies when the same SSID is assigned to different accesspoints. Clients also need to support the IEEE 802.11r standard.

Keep broadcasting: Ensures that the access point keeps broadcasting when it is not able to re-connect to Sophos Central after a reboot. With this function, clients will still be able to connect to theaccess point and/or the internet. If the keep broadcasting function is on, the access point proceedsworking with its old configuration.

NoteThe SSID will be broadcasted in all cases of connection loss to Sophos Central, regardless if thisfunction is activated or not.

Band Steering: Band steering distributes clients based on the load of the two bands and the clients’capability between 2.4 GHz and 5 GHz bands. Dual-band capable wireless clients will be routed to 5GHz if possible to improve the client experience.



This is done by rejecting the initial association request sent by the client in the 2.4 GHz band. Thiswill cause dual-band devices to then attempt to negotiate at 5 GHz. If it does not associate in the5 GHz band, it will be marked as "steering unfriendly" and will not be routed again. If a client is toofar away from the AP, routing will not be attempted. This prevents routing clients to 5 GHz when therange is usually less than in the 2.4 GHz band. Band Steering is done on a per-AP level and willaffect all SSIDs on that AP.

Related conceptsAbout SSIDs (page 7)A Service Set Identifier (SSID) is a unique identifier which is attached to the header of packets that aresent over a Wireless LAN.

Related tasksCreate an SSIDCreate an SSID with basic settings (page 9)Secure an SSIDRelated informationCreating and securing SSIDs

3.3 Create an SSID with basic settings1. Go to Wireless > SSIDs and click Create.

2. Enter the name for the SSID.

3. Enter a secure passphrase.

4. Click Next.

5. Assign at least one access point to the network.

6. Save your settings.

The SSID is activated.

You can now turn the SSID into a hotspot.

Related conceptsAbout SSIDs (page 7)



A Service Set Identifier (SSID) is a unique identifier which is attached to the header of packets that aresent over a Wireless LAN.

Related tasksCreate an SSIDRelated informationSecurity and quality-of-service settings (page 8)SSIDs can be secured and improved in terms of quality with some options in Sophos Central.

Creating and securing SSIDs



4 Guest networksYou can configure networks to allow only access to the Internet.

4.1 About guest networksGuest networks are networks which use the same access points as other networks but are configuredto allow only access to the Internet.

4.2 Creating a guest networkYou can either use an existing SSID or create a new SSID to enable a guest network.

This guide describes how to set up a guest network with an existing SSID.

1. Go to SSIDs and click the SSID for which you want to enable a guest network.

2. Go to Advanced Settings > Client Connection.

3. Choose the required connection type.

Option Description

LAN Bridges the client traffic into the same networkthe access point is connected to.



Option Description

VLAN Bridges the client traffic into a particularVLAN.

4. Click Enable Guest Network.

5. Choose the client addressing.

Option Description

Bridge Mode Filters all traffic and allows communicationto the gateway, the DNS server and theexternal network. Thereby you can add aguest network to an environment withoutVLAN and still have an isolation. Roamingbetween APs works flawlessly.

NAT Mode Isolates every guest network on each accesspoint.


7. Give the passphrase to guest network clients.



5 HotspotsYou can turn access points into hotspots.

5.1 About captive portals and hotspotsThe hotspot function turns the AP behind the SSID into a hotspot. This allows businesses (for example,cafes and hotels) to provide time- and traffic-restricted Internet access to guests.

Guests have to authenticate themselves in a captive portal after connecting to the hotspot. A captiveportal forwards network clients to a special website for authentication purposes or to accept terms ofuse. After authentication users are able to use the Internet.

Technically, the hotspot feature serves to restrict traffic which is basically allowed by the firewall.Therefore you have to ensure that a firewall rule exists which allows the traffic to be managed byhotspots. We recommend that you test the traffic with the hotspot feature disabled. Enable thehotspots if the test is successful.

CAUTIONIn many countries, operating a public hotspot is subject to specific national laws, restricting accessto websites of legally questionable content (for example, file sharing sites, extremist websites).Legal regulations may require you to register your hotspot with the national regulatory body.

Deployment possibilities

Hotspots can be used to provide Internet access for several scenarios:

• Providing access to users via a RADIUS server with Password Authentication Protocol (PAP).

• Providing access to users by creating passwords on a fixed schedule and sending it automaticallyto individual email addresses.

• Providing access via (time or data limited) vouchers.

Good to know

There are some things you should know about hotspots:

• Users who connect to an hotspot have to authenticate themselves on the Captive Portal pagewhich opens automatically when opening the browser.

• After authentication users will be redirected either to the original URL they entered or to a URL youdefined in the settings.

• You can schedule the availability of the hotspot.



5.2 Creating hotspots with backend authentication

Objectives

When you complete this lesson, you’ll know how to do the following:

• Create an SSID with basic settings

• Turn an SSID into a hotspot with backend authentication

Create an SSID with basic settings

1. Go to Wireless > SSIDs and click Create.



4. Click Next.





Create a hotspot with backend authentication

1. Click on the newly created SSID (Wireless > SSID).

2. Go to Advanced Settings > Captive Portal and click Enable hotspot.

3. Enter the information you want to provide on the landing page.

4. Select the backend authentication.



5. Type the address of the RADIUS server.

6. If required, change the default RADIUS port.

7. Type a passphrase.

8. Save your settings.The hotspot is available after a few seconds.

5.3 Creating hotspots with password schedule

Objectives



• Turn an SSID into an hotspot with authentication via scheduled passwords.







4. Click Next.





Create a hotspot with scheduled passwords




4. Select Password schedule.



5. Set the cycle for creating new passwords.

6. If all administrators should be notified about new passwords, activate the checkbox.

7. Type the e-mail addresses of all users who should receive the passwords.

8. Save your settings.The hotspot is available after a few seconds. The passwords will be created and sent out at thescheduled times.

5.4 Creating hotspots with vouchers

Objectives



• Turn an SSID into an hotspot with authentication via vouchers

• Create vouchers







4. Click Next.





Create a hotspot with voucher authentication




4. Select Voucher as authentication type.

5. Save your settings.The hotspot is available after a few seconds.

Create vouchers.

Create a voucher

Create a voucher for the hotspot.

To create a voucher:

1. Click on the newly created hotspot (Wireless > SSID).

2. Go to Advanced Settings > Captive Portal and click Create Voucher.The voucher creation dialog opens.

3. Define the following:



Options Description

Device Name Enter a name

Access time Use the start and end date to set a timeperiod for access. You can also make italways accessible.

Timezone Set the timezone.

Amount of vouchers Set the number of vouchers.

Valid for Set the period the voucher is valid for.

4. Save your settings.The voucher appears in the list.

5. Click Show PDF and save the file or print it directly.

Hand the voucher out to users.



6 SitesSpecify locations to easily manage your access points.

Create multiple floor plans for sites to see where the best places are to mount access points or to getan overview of where access points are installed.

Neighborhood Networks

The Neighborhood Networks tab shows every network within the range of the selected site'saccess points. This also includes networks which are not provided by Sophos Central. You can filterthe scanned networks to show All, Rogue, Trusted, Untrusted, Advanced Impersonate, Evil Twin,BSSID Impersonate, SSID Impersonate, or Adhoc. Use the following options:

Scan: You can scan all online networks in the supported channels of an access point. Devicesconnected to the network will experience network interruption for three to five minutes during a scan.

Select Classification: You can customize or mark a scanned network as Rogue, Trusted,Untrusted, Advanced Impersonate, Evil Twin, BSSID Impersonate, SSID Impersonate, or Adhoc.

Clear Custom Classification You can clear or undo the custom classification.

Neighborhood SSIDs are classified as shown in the table.

Trusted Network that belongs to your account.

Untrusted Network that doesn't belong to your account.

Rogue Untrusted network that is connected to yoursecured wired access point network.

SSID Impersonate Network that spoofs the network name of youraccess point.

BSSID Impersonate Network that spoofs the hardware address ofyour access point.

Evil Twin Network that spoofs the network name and thehardware address of your access point.

Advanced Impersonate Network that spoofs the network name andunique protection code of your access point.

Adhoc A peer-to-peer network.

Every access point scans for neighborhood SSIDs once during the startup process. For example,when you restart an access point or install a new firmware update. If you activate dynamicbackground channel selection, access points scan for neighborhood SSIDs on a regular basis.

To show neighborhood SSIDs, you must enable Rogue Access Point detection in Settings.



Floor plans

Use floor plans to set detailed locations for access points. Upload a floor plan as an image file (PDF,PNG, JPEG, BMP, GIF or WBMP) and position the access points.

6.1 About sitesThe Wireless Sites feature is a feature which helps you associate your access points with specificlocations and easily manage them.

Additionally, you can create multiple floor plans for sites to see where the best places are to mountaccess points or to have an overview where access points are installed.

Neighborhood SSIDs

The neighborhood SSIDs tab shows every network within the range of the access points ofthe selected site. This includes also networks which are not provided by Sophos Central. Eachneighborhood SSID is classified:

Sanctioned AP that belongs to your network.

Unsanctioned AP that does not belong to your network.

Rogue Unsanctioned AP that is connected to yoursecured wired network.

SSID Impersonate AP that spoofs the network name of an accesspoint that belongs to you.

BSSID Impersonate AP that spoofs the hardware address of anaccess point that belongs to you.

Evil Twin AP that spoofs the network name and thehardware address of the access point thatbelongs to you.

Advanced AP Impersonate AP that spoofs the network name and uniqueprotection code of the access point that belongsto you.

Every access point scans for neighborhood SSIDs once during the booting process. For example,when you reboot an access point or install a new firmware update. If you activate dynamicbackground channel selection, access points scan for neighborhood SSIDs on a regular basis.

To show neighborhood SSIDs, you must switch on Rogue AP Detection.

Floor plans

Use floor plans to set detailed locations for access points. Upload a floor plan as an image file (PDF,PNG, JPEG, BMP, GIF or WBMP) and position the APs.



6.2 Create sitesWe recommend you registering access points before creating sites.

Organize your sites on Google Maps and group the access points to the sites.

1. Go to Sites and click Create.

2. Enter the name of your company or search for the road.

3. Select the access points which are located at this site.

NoteAn AP can be added to one site only.


The site appears in the list next to the map.

You can now create floor plans for the site.

6.3 Create a floor planYou can create floor plans that show the locations of your access points.

You need to create a site before you create a floor plan.

To create a floor plan:



1. Go to Sites and click on a site.

2. Click on Create a floor.

3. Add a floor plan.

NoteThe floor plan must be an image file (PDF, PNG, JPEG, BMP, GIF or WBMP).

4. Upload the floor plan to Sophos Central.

5. Crop the image or proceed without changes.

6. Assign the dimensions.

Measured dimensions are required to correctly show the network range of access points.

7. Drag and drop an access point from the available tab and place it on the floor plan.

You can delete access points from the floor plan on the placed tab.


The floor plan including the positions of the access points is added to the site.



7 Mesh networks

7.1 About mesh networksYou can use access points to create mesh networks.

Using an AP as a mesh client with 5 GHz effectively reduces the maximum throughput by 50% perhop, because all data sent to the AP needs to be forwarded to the other AP, taking up additionalairtime. Therefore we recommend to set the root AP to 5 GHz and the clients to 2.4 GHz. When anAP boots which is configured to use the mesh network, it tries to connect via cable to the service. Ifthis does not work, it turns into a repeater AP and scans if the mesh network is visible. If yes, it willjoin the mesh network as a client. The access points realize by themselves if they are root, repeater(mesh) or bridge access points in the network.

Deployment possibilities

Mesh mode enables you to have multiple access points where one is the root AP and the others arerepeater APs, called mesh APs. There can be multiple root APs. Mesh APs can broadcast the SSIDfrom the root AP to cover a larger area without cabeling each AP.

A mesh network can also be used to bridge Ethernet networks without laying cables. To run awireless bridge you have to plug your second Ethernet segment into the Ethernet interface of themesh access point. The first Ethernet segment is the one on which the root access point connects tothe service.

Good to know

There are some things you should know about mesh networks:



• At least one access point needs a LAN connection.

• Mesh access points need to be on the same channel to make a communication possible.

• Avoid using dynamic channel selection as after a reboot the channels of the APs may differ.

• The mesh network may need up to five minutes to be available after configuration.

• You can have only one mesh SSID.

• A mesh network can be realized only with Sophos access points.

• For setting up a mesh network you need to create a new SSID.

• There is no automatic takeover of the root AP. The decision to connect to mesh happens during theboot.

7.2 Create a mesh networkCreating a mesh network will generate a WPA2-personal network with a randomly generatedpassphrase which will be automatically shared among all access points that are configured tobroadcast the mesh SSID. The mesh ID is not visible to the administrator.

A mesh network can implement a wireless bridge or a wireless repeater.

1. Connect all access points you want to have in the mesh network to the required LAN network.

2. Register them under Wireless > Access Points > Register.

3. Ensure that the APs are connected to an SSID.

4. Set the same channel on all APs on the 5 GHz band or set Autochannel.

NoteDo not use Dynamic Background Channel Selection as then the channel could change aftera reboot.

5. Create a new SSID (Wireless > SSIDs > Create).

a) Enter the name for the SSID.

b) Select a frequency band.

NoteWe recommend to use the 5 GHz band as the throughput is higher.

c) Click Next and assign the access points by selecting them in the list.

d) Go to Advanced Settings > Mesh and select Enable mesh mode.

e) Save your settings.

6. Navigate to the access points list and wait until the status of the access points is up to date.

7. Disconnect the mesh AP from the LAN network and place it at the intended location.

8. Reboot the access points (power off and on).

The mesh network is available after a few minutes. It is not visible to end users.

To disable the mesh network, delete the SSID.

Troubleshooting

If Enable mesh mode is not displayed:



• Create a new SSID.

If a second mesh SSID does not work:

• You can only have one SSID with mesh mode enabled.

The mesh network is not coming up:

• Wait a few minutes for it to appear.

• Check if the Spanning Tree Protocol (STP) blocks your mesh configuration.

• Test the connection by broadcasting only mesh on the root AP and a visible SSID on the repeaterAP. If it is visible, mesh works.

The mesh network is not visible to end users:

• This is normal behavior. Make it visible by creating a separate SSID and adding the same accesspoints as to the mesh network.

7.3 Mesh network not visibleClients cannot see the network SSID.

The mesh network is established but you cannot see the mesh SSID.

The mesh network may take up to five minutes to be available after configuration.

1. Restart your access points.

2. Wait five minutes for the network to appear.

The Spanning Tree Protocol (STP) is blocking your mesh configuration.

1. Go to Wireless > Access Points and click an access point that is in your mesh network.

2. Disable STP.

3. Disable STP for all other access points in your mesh network.

4. Restart your access points.

5. Wait five minutes for the network to appear.

7.4 Mesh network not usableThe mesh network is visible but clients cannot connect to the Internet.

Mesh network clients can connect to the network but not to the Internet.

• Check if you have at least one root access point and one mesh access point.

• Ensure that the root access point is connected to the network through a wired LAN connection.

• Check if your mesh access points are on the same channel.

• Ensure that access points that are not part of the mesh network use a different channel.

7.5 Mesh access points missing from networkNot all mesh access points are in the network.

The mesh network is set up but you face connection gaps. This could be caused by access pointswhich are not connected to the mesh network.



• Ensure that all mesh access points have the configuration. In order to obtain a configuration, theaccess points must initially be connected by wired LAN connection. After the configuration is saved,you can disconnect the mesh access points (except for one) and restart them.

• Ensure that the LAN cable is only connected to one mesh access point.



8 Alerts and diagnostics

8.1 AlertsThere are the following types of wireless alerts:

High

Access point has bad health: The load on the AP is too high. This is caused by too manyconnected clients. Check your installation (Are the access points well placed? Are there too few?).

Medium

Access point is offline: The AP has either no connection to the Internet, no power or there is anerror with the software. If it is the software, a reboot may help. Otherwise, you should connect to theSOS SSID.

Access point is not broadcasting any network: There is currently no configuration on the AP.Configure the AP under Wireless > Access Points.

Access point has high data packet retries: 802.11 retries alert is triggered when the data frameretries on the AP go beyond 20%. It helps you to understand if retries are the reason for a badnetwork service. WLAN frames are retried by the AP when the acknowledgement frames are notreceived from the intended recipient. If the retries go beyond the threshold, the overall performanceof the network is shown.

Access point command done: The reboot is done.

Access point has a DNS timeout: DNS requests to the Internet are not answered. This is eithercaused by the Internet connection or by your network installation.

Access point has high DNS latency: The feature triggers alert for high 802.11 retries & DNS delay.This is either caused by the Internet connection or by your network installation.

• DNS latency alert is triggered if the DNS roundtrip time is above 250 ms.

• 802.11 retries alert is triggered if the retry percentage is above 20% (conservative).

There are some alerts where rebooting the access point may solve the problem:

Access point configuration failed

Access point(s) failed to update to the new firmware

In those cases, as first step, reboot the access point. If this does not help, call Sophos Support. Theywill need remote access to investigate the issue (Wireless > Settings > Remote Login to AccessPoints for Sophos Support).

Low

Access point will be updated with new firmware: Wireless is off for approximately 5 minutes.

All access points will be updated with new firmware: Wireless is off for approximately 5 minutes.



Access point has been successfully updated with new firmware

All access points have been successfully updated

8.2 Diagnostic and analysis settingsYou can make some diagnostic and analysis settings under Wireless > Settings:

Forward access points logs

Your access point logs will be forwarded to Sophos technical support.

Remote login

In case of issues you can allow Sophos technical support to have remote access for a given time.The remaining time is displayed as soon as you activate the function. Deactivate to disable remoteaccess immediately.

Traffic categorization

If the traffic categorization is enabled, the traffic generated by users will be categorized and listed onthe Usage Insight page. This option is enabled by default.

8.3 Grant remote accessYou can grant remote access to your access points for Sophos Support. This may be the case whenAPs failed to update to the new firmware.

Before you grant remote access, reboot your APs and check if your problem still exists.

To grant access:

1. Go to Wireless > Settings.

2. Enable Remote login to access points for Sophos Support.



3. Select the time frame for the remote login.


5. Contact Sophos Support and provide additional information they may need.

Sophos Support has remote login within the selected time frame.

Deactivate the remote login at any time when you don't need it anymore.



9 Contact Sophos SupportTo get help from Sophos Support:

1. Click Help in the top right of the user interface and select Create Support Ticket.

2. Fill in the form. Be as precise as possible so that Support can help you effectively.

3. Optionally, select Enable Remote Assistance. This enables Support to directly access yourSophos Central session to be better able to help you.

4. Click Send.

Sophos will contact you within 24 hours.

NoteIf you selected Remote Assistance, this function is enabled when you click Send. RemoteAssistance will automatically be disabled after 72 hours. To disable it sooner, click on your accountname (upper right of the user interface), select Licensing & Administration, and click theSophos Support tab.

Submit feedback

To submit feedback or a suggestion to Sophos Support:

1. Click Help in the top right of the user interface and select Give Feedback.

2. Fill in the form.

3. Click Send.

Additional help

You can also find technical support as follows:

• Visit the Sophos Community at community.sophos.com/ and search for other users who areexperiencing the same problem.

• Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.


http://community.sophos.com/

http://www.sophos.com/en-us/support.aspx


10 Legal noticesCopyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording or otherwise unless you are either a valid licensee where the documentationcan be reproduced in accordance with the license terms or you otherwise have the prior permissionin writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.


sophos central wireless · missing security heartbeat™ device is connected but the endpoint is...

Documents