Sophos UTM9 Reset Used IP count

Introduction

If you’ve got the Sophos UTM up and running in your home network then you may come across this issue at some point. I was using UTM9’s web protection for quite some time and suddenly starting receiving emails to say I’d reached the 50 IP address limit. I now realised I had caused this issue using nmap to scan my /24 DMZ network. I knew the limit was nonsense because only 4 devices existed but still needed to reset the firewall count as it’s behaviour is to indiscriminately block random addresses over the 50 count. There is a problem however in that the first set of commands just perform a temporary reset and it will keep coming back to annoy you for a week until it gets flushed out. Therefore the permanent option is jump into the postgres database and tidy up the offending IPs.

Temporary Workaround

Reset IP Count

1) Login to unit via SSH (you must have the “loginuser” and “root” user passwords/SSH keys set via the web interface).
2) Type “cc” and hit enter
3) Type “licensing” and hit enter
4) Type “active_ips@” and hit enter
5) Type “=[]” and hit enter
6) Type “..” and hit enter
7) Type “user_limit_exceeded$” and hit enter
8) Type “=0” and hit enter
9) Tyipe “exit”, to quit, and hit enter.

At this point the IP table will be flushed out and the unit should no longer be in violation of the license.

Long Term Solution

Delete Entries From Database

So there is a link below which is where I sourced my initial investigation from but the suggested command didn’t work for me so I had to figure it out.

First login to postgres from a root SSH prompt

psql -U postgres

List the databases using

\l

Connect to the reporting database

\c reporting

List the tables

\d

List the Columns in database

\d accounting

Confirm the ips that you see in the webgui. In my case they were in my DMZ using private range 10.149.239.x

SELECT dstip FROM accounting WHERE dstip = '10.149.239.2';

It will return an entry for this IP. Yours may be in a different column e.g. srcip instead if they ever existed. Mine never actually did exist as a live IP. Then perform Deletes for all the rogue entries:

DELETE FROM accounting WHERE dstip = '10.149.239.2';

I used notepad++ and excel to make a list of all IP’s in the /24 DMZ subnet then ran the command for all of the IP’s outside of the four addresses I actually use in production. When you run a delete you will get a return of 1 if it is successful. If you get 0 there is nothing to delete but of course you should be checking first that they exist!

Once you’ve completed this you will have cleared out the rogue addresses using up your 50 IP limit for good. Job done.

https://community.spiceworks.com/how_to/103441-reset-sophos-utm-active-ip-licence-count

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.