Overview 💥
When running Sophos Central Child Inspectors in Liongard, you may encounter the following error:
Ispection failed at https://api-us03.central.sophos.com/firewall/v1/firewalls?pageSize=50&pageTotal=true with status code 403: Request failed with status code 403. This is a problem with your permissions within the target system, not the Liongard inspector.
This typically happens when the child tenant is in an “unmanaged” state within the Sophos Central Partner Dashboard. Because the Sophos Central API only allows access to managed tenants, attempts to retrieve data from an unmanaged child tenant using the parent tenant’s API credentials will fail.
This is a Sophos platform/API limitation, not a Liongard bug.
Why This Happens? 🤔
Sophos Central separates tenants into two states:
Tenant State | Description | API Access Allowed? |
Managed | Child tenant is fully under control of the parent (MDR/partner). | ✅ Yes |
Unmanaged | Child tenant is independent and not attached to the parent’s hierarchy. | ❌ No (403 errors returned) |
When a tenant is unmanaged, the Sophos Central API blocks all cross-tenant access. Therefore, Liongard's parent-level credentials cannot retrieve data — resulting in a 403 error any time the Inspector attempts to query child endpoints.
Common Symptoms 🤒
Child Inspector immediately fails with 403 Forbidden
Parent Inspector works fine, but children fail
Only some tenants are impacted (those in unmanaged status)
Inspector status show:
Pre-Checks Before Fixing 📝
Run these quick checks before making changes:
Check | How to Verify | Expected Result |
Is parent inspector working? | Run parent Inspector in Clear Cache + Debug Mode (CCDM) | Should succeed |
Is child tenant showing “Unmanaged”? | Look in Sophos Partner Dashboard | If “Unmanaged” → 403 will occur |
Any recent tenant hierarchy changes? | Partner Dashboard → Activity Logs | Propagation may take time |
Are API credentials valid? | Re-auth parent credentials | Credentials must be active & valid |
Steps to Resolve 👨💻
1️⃣ Verify the Tenant Management Status
Log in to the Sophos Central Partner Dashboard.
Navigate to Account → Tenants.
Check the Status column for the affected child tenant.
If the tenant shows:
Managed → API should work
Unmanaged → API calls will fail with 403
📌 This is the primary cause of the error.
2️⃣ Remediate the Unmanaged State
You have two valid resolution paths:
✅ Option A — Convert the Child Tenant to “Managed”
Use this if the child tenant should be managed under the parent.
Steps:
Open Partner Dashboard.
Locate the affected child tenant.
Select “Convert to Managed” (or equivalent option).
Confirm the conversion.
Wait 10–30 minutes for backend propagation.
Re-run the Liongard Inspector.
✅ Option B — Set Up a Standalone Inspector for the Child Tenant
Use this if the tenant should remain unmanaged.
Steps:
Go to Liongard → Inspectors.
Add a new Sophos Central Inspector.
Use API credentials for that child tenant, not the parent.
Save, run, and verify the inspection lands successfully.
3️⃣ Retry the Inspector
Always run in Clear Cache + Debug Mode (CCDM) for accurate testing.
Expected outcome:
Managed tenant → should land successfully
Standalone Inspector → should also land successfully
Additional Troubleshooting & Best Practices 🚀
If issues persist, review the following areas:
🔐 API Permissions
Ensure the parent account used for API access:
Has the correct partner admin permissions
Has access to the child tenant in the Sophos hierarchy
Was not recently changed, suspended, or modified
🌐 Propagation Delay
Changes in Sophos Central (especially management hierarchy changes) may take:
10–30 minutes normally
Up to 2 hours for global propagation
🧱 Network/Firewall Considerations
Rare, but if using a restrictive network:
Ensure outbound traffic to Sophos APIs is allowed
Validate TLS/SSL interception is not breaking API calls
📁 Review Inspector Logs (Highly Recommended)
Troubleshooting Table 🤩
Issue | Possible Cause | Resolution |
403 on child Inspector | Child tenant unmanaged | Convert tenant to managed OR create standalone Inspector |
403 after converting to managed | Propagation delay | Wait 10–30 mins → rerun |
403 only on one child | Per-tenant permissions | Ensure parent owns/manages that child |
All child Inspectors failing | Parent API credentials invalid | Re-auth parent credentials |
Standalone Inspector fails | Incorrect API creds | Validate API key for child tenant |
References 📚
Liongard Docs — Sophos Central Inspector
Sophos Partner Dashboard — Tenant Management
Third-Party Link Disclaimer ‼️
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.
When to Contact Liongard Support 🦁
Contact Liongard Support after completing all the above steps if:
Tenant is correctly managed, but 403 persists
Inspector logs show non-standard API failures
Child Inspector fails but direct API calls succeed
You need help validating Inspector configuration
Provide these details for fastest resolution:
Parent & child tenant names
Inspector logs (exported)
Screenshots of Sophos tenant management state
API permission information
Confirmation if standalone Inspectors were tested