Security Heartbeat

Security Heartbeat is a feature that allows endpoints and firewalls to communicate their health status with each other. Find the details on how it works, what different health statuses there are, and what they mean.

Communication channel

Endpoints and XG Firewall communicate through an encrypted TLS connection over the IP address on port 8347.

Identification of endpoints

Each endpoint receives a certificate from Sophos Central. Sophos Central shares those certificates with XG Firewall, so XG Firewall is able to attribute an endpoint to a specific organization. XG Firewall only establishes connections with endpoints for which it possesses their certificate.

Information exchange

  • When an endpoint connects to XG Firewall for the first time, it sends the details of its current health status, network interfaces, and signed-in users.
  • Endpoints send a heartbeat (their health status) to XG Firewall every 15 seconds. These messages are called heartbeat.
  • XG Firewall sends a list of endpoints whose health status is red (at risk) or yellow (warning) every second heartbeat, that is every 30 seconds.

Missing heartbeat

XG Firewall logs a heartbeat as missing when it doesn’t receive three consecutive heartbeats from an endpoint that continues to send network traffic. When the endpoint sends the heartbeat again, XG Firewall considers it active. A missing heartbeat is determined by the MAC address of an endpoint and all interfaces are taken into account.

Green heartbeat status

A green heartbeat status requires no action and means that:

  • Sophos security software is working correctly.
  • No active malware is detected.
  • No inactive malware is detected.
  • No potentially unwanted application is detected.

Yellow heartbeat status

Typical reasons for a yellow status are:

  • A newly installed PUA (potentially unwanted application)
  • 24 hours since the last signature update
  • Inactive malware is detected.
  • A potentially unwanted application is detected.

Usually, it is temporary and no action is required. However, you can choose to take action when a PUA or malware is detected.

Red heartbeat status

A red status requires action. A typical reason is that active malware has been detected and couldn’t be automatically removed.

You should take action if one or more of the following issues occur:

  • Active malware is detected.
  • Running malware is detected.
  • Malicious network traffic is detected. This traffic might lead to a command-and-control server involved in a botnet or other malware attack.
  • Communication sent to a known bad host is detected. This is based on the IP address or DNS resolution.
  • Malware was not removed.
  • Sophos security software is not working correctly.

Source heartbeat and destination heartbeat

Source and destination heartbeats define the minimum required heartbeat from the source and destination, respectively. These can be found under the respective firewall policy.

Protection based on health status (lateral movement protection)

Endpoints communicate with another endpoint based on its health status and the policy specified in Sophos Central. For example, if an endpoint has a read health status and there’s a corresponding policy defined, other endpoints would stop communicating with that endpoint.

The XG Firewall will handle this communication between endpoints. It acts as a MAC layer 2 proxy to tell each endpoint within the same broadcast domain the MAC and health status of all other endpoints.

Tap mode and Security Heartbeat

For Security Heartbeat to work in tap mode you must have at least one interface configured within the LAN Zone that is regularly connected to the network and whose address can be reached from the endpoints. The IP addresses of all interfaces within the LAN zone are transmitted to Sophos Central and further to the endpoints. Endpoints in turn try to connect to one of the LAN zone IP addresses to send their Security Heartbeat messages to.