Skip to content

Security Heartbeat overview

Security Heartbeat allows Sophos Firewall and endpoints managed by Sophos Endpoint Protection to communicate through Sophos Central and exchange information about the endpoints' security status (health status).

Sophos Firewall and Sophos Central administrators can define policies for network access based on the endpoints' health status. Endpoints with security incidents can be immediately isolated, thus preventing threats from spreading across the network.

Endpoints authenticate through Sophos Central. Endpoints need to run the Endpoint Protection agent, which the Sophos Central administrator provides. The Endpoint Protection agent ensures that the endpoints belong to the organization and have permission to access the network. These endpoints send updates at regular intervals about their health status to Sophos Firewall, which applies the defined policies based on that information.


Sophos Firewall communicates with the Sophos Central IP address,, on port 8437.

To use this feature, register this firewall with Sophos Central.

The Security Heartbeat widget on the Control center page provides information about the health status of endpoints.

Configure the missing heartbeat zones when you turn on Security Heartbeat. Regulate traffic based on heartbeat information in the Advanced section of user/network firewall rules.

For Security Heartbeat to work correctly, the following conditions must be met:

  • There's no traffic routed through a VPN tunnel before the heartbeat connection has been established. Otherwise, the heartbeat traffic will also be routed through the VPN tunnel. Thus the firewall can't see the heartbeat traffic and marks the endpoint as missing. When the endpoint is in the Missing status, all traffic through the firewall from this endpoint is blocked.


    Sophos Connect can send the heartbeat messages generated by a Sophos endpoint if the connection policy allows the heartbeat messages to be sent through a VPN tunnel.

  • The endpoint must not be located behind an intermediate router. If it is, a missing heartbeat can't be detected. This leads to false results. The endpoint still shares its health status.

  • The router must not be a NAT gateway. Otherwise, endpoints can't share their health status with Sophos Firewall.

Synchronized user ID authentication

When a user signs in to an endpoint, Security Heartbeat sends a synchronized user ID containing the domain name and username to Sophos Firewall. Sophos Firewall checks the user account with the configured Active Directory server and activates the user.


You don’t need to install an agent on the server or user devices. Sophos Firewall doesn’t share or use the password.


Currently, the following conditions apply:

  • Works only with AD authentication
  • Works with Windows 7 and Windows 10 systems
  • Won’t recognize local users.