Reject network connections

You can configure devices to reject connections from other devices on the network that may be unsafe.

This setting only applies to devices connected to an XG firewall.

When you turn on the setting, it rejects connections to or from devices with red health or with a missing Security Heartbeat.

  1. Go to Global Settings > Reject Network Connections.
  2. Turn on Allow devices to reject connections from other devices with red health.
  3. Set up Exclusions if you need to.
  4. Click Save.

When a device triggers a red health or missing Security Heartbeat alert, all other devices on the same subnet are informed that the device is unsafe.

If the unsafe device tries to access another device, you will see an event logged in Sophos Endpoint on the destination device:

Access request from computer computer name denied because it may be unsafe

If a device tries to access an unsafe device, you will see an event logged in Sophos Endpoint on the source device:

Access to computer computer name denied because it may be unsafe

You cannot override the rejected state on a rejected device locally. To allow access to or from the device, it must revert to a healthy state.

Exclusions for servers

You might have servers that are critical for your organization. In this case, set up exclusions to ensure that devices always accept connections from these servers even if their health is red. Servers that are used as an update cache or message relay are excluded by default. This allows them to offer updates or a communication route for your devices.

  1. On the Reject Network Connections page, go to Exclusions.
  2. Select the server or servers and move them to the Excluded list.
  3. Click Save.