Security Heartbeat

Security Heartbeat is a feature that allows endpoints and firewalls to communicate their health status with each other. Find the details on how it works, what different health statuses there are, and what they mean.

Communication channel

Endpoints and XG Firewall communicate through an encrypted TLS connection over the IP address 52.5.76.173 on port 8347.

Identification of endpoints

Each endpoint receives a certificate from Sophos Central. Sophos Central shares those certificates with XG Firewall, so XG Firewall is able to attribute an endpoint to a particular organization. XG Firewall only establishes connections with endpoints for which it possesses their certificate.

Information exchange

  • When an endpoint connects to XG Firewallfor the first time, it sends the details of its current health status, network interfaces, and signed-in users.
  • Endpoints send a heartbeat (their health status) to XG Firewall every 15 seconds. These messages are called heartbeat.
  • XG Firewall sends a list of endpoints whose health status is red (at risk) or yellow (warning) every second heartbeat, that is every 30 seconds.

Missing heartbeat

XG Firewall logs a heartbeat as missing when it doesn’t receive three consecutive heartbeats from an endpoint that continues to send network traffic. When the endpoint sends the heartbeat again, XG Firewall considers it active. A missing heartbeat is determined by the MAC address of an endpoint and all interfaces are taken into account.

Yellow heartbeat status

Typical reasons for a yellow status are:
  • A newly installed PUA (potentially unwanted application)
  • 24 hours since the last signature update

Usually, it is temporary and no action is required.

Red heartbeat status

A red status requires action. A typical reason is that active malware has been detected and couldn’t be automatically removed.

Source heartbeat and destination heartbeat

Source and destination heartbeats define the minimum required heartbeat from the source and destination, respectively.

Protection based on health status (lateral movement protection)

Endpoints communicate with another endpoint based on its health status and the policy specified in Sophos Central. For example, if an endpoint has a read health status and there’s a corresponding policy defined, other endpoints would stop communicating with that endpoint.

Tap mode and Security Heartbeat

For Security Heartbeat to work in tap mode you must have at least one interface configured within the LAN Zone that is regularly connected to the network and whose address can be reached from the endpoints. The IP addresses of all interfaces within the LAN zone are transmitted to Sophos Central and further to the endpoints. Endpoints in turn try to connect to one of the LAN zone IP addresses to send their Security Heartbeat messages to.