Security Heartbeat
Security Heartbeat is a feature that allows endpoints and firewalls to communicate their health status with each other.
This topic covers details about how it works, its different health statuses, and what they mean.
Communication channel
Endpoints and Sophos Firewall communicate through an encrypted TLS connection over the IP address 52.5.76.173
on port 8347.
Identification of endpoints
Each endpoint receives a certificate from Sophos Central. Sophos Central shares those certificates with Sophos Firewall so that Sophos Firewall can associate an endpoint with a specific organization. Sophos Firewall only establishes connections with those endpoints it has certificates for.
Information exchange
- When an endpoint connects to Sophos Firewall for the first time, it sends the details of its current health status, network interfaces, and signed-in users.
- Endpoints send a heartbeat (their health status) to Sophos Firewall every 15 seconds.
- Sophos Firewall sends a list of endpoints whose health status is red (at risk) or yellow (warning) every second heartbeat, every 30 seconds.
Missing heartbeat
Sophos Firewall logs a heartbeat as missing when it doesn’t receive three consecutive heartbeats from an endpoint that continues to send network traffic. When the endpoint sends the heartbeat again, Sophos Firewall considers it active. The MAC address of an endpoint determines a missing heartbeat, and all interfaces are taken into account.
To avoid frequent and misleading notifications about endpoints going into a missing heartbeat status after intentional actions, such as include power off, suspend, hibernate, or moving to a different network adapter, you can customize the heartbeat detection behavior. The customization options are as follows:
- Increase the default timeout for missing heartbeat detection: The default timeout between the last received security heartbeat messages and moving the endpoint into a missing heartbeat status when still detecting network activity of the endpoint is set to 60 seconds. In some cases, when switching between network adapters, specifically when switching from a wired to a wireless connection, this timeout can be too short.
- Delay sending Missing Heartbeat status to Sophos Central: By default, Sophos Firewall directly sends information to Sophos Central about an endpoint going into the missing heartbeat status. missing heartbeat status.
Note
Using these options may delay missing heartbeat notifications that you want to receive.
Note
When you add a firewall rule, if you select Block clients with no heartbeat and add a web exception for policy checks under Web > Exceptions, web requests aren't blocked.
Green heartbeat status
A green heartbeat status requires no action and means that:
- Sophos security software is working correctly.
- No active malware is detected.
- No inactive malware is detected.
- No potentially unwanted application is detected.
Yellow heartbeat status
Typical reasons for a yellow status are:
- A newly installed PUA (potentially unwanted application).
- Twenty-four hours since the last signature update.
- Inactive malware is detected.
- A potentially unwanted application is detected.
Usually, it's temporary, and no action is required. However, you can choose to take action when a PUA or malware is detected.
Red heartbeat status
A red status requires action. A typical reason is that active malware has been detected and couldn’t be automatically removed.
You should take action if one or more of the following issues occur:
- Active malware is detected.
- Running malware is detected.
- Malicious network traffic is detected. This traffic might lead to a command-and-control server involved in a botnet or other malware attack.
- Communication sent to a known bad host is detected. This is based on the IP address or DNS resolution.
- Malware wasn't removed.
- Sophos security software isn't working correctly.
Source heartbeat and destination heartbeat
Source and destination heartbeats define the minimum required heartbeat from the source and destination, respectively. These can be found under the respective firewall rule.
Protection based on health status (lateral movement protection)
Endpoints communicate with another endpoint based on its health status and the policy specified in Sophos Central. For example, if an endpoint has a red health status and there’s a corresponding policy defined, other endpoints would stop communicating with that endpoint.
Sophos Firewall will handle this communication between endpoints. It acts as a MAC layer two proxy to tell each endpoint within the same broadcast domain the MAC and health status of all other endpoints.
Tap mode and Security Heartbeat
For Security Heartbeat to work in tap mode, you must have at least one interface configured within the LAN Zone regularly connected to the network and whose address can be reached from the endpoints. The IP addresses of all interfaces within the LAN zone are transmitted to Sophos Central and further to the endpoints. Endpoints, in turn, try to connect to one of the LAN zone IP addresses to send their Security Heartbeat messages to.