Skip to content

Security Heartbeat overview

Security Heartbeat allows Sophos Firewall and endpoints managed by Sophos Endpoint Protection to communicate through Sophos Central and exchange information about the endpoints' security status (health status).

Sophos Firewall administrators and Sophos Central administrators can define policies for network access based on the endpoints' health status. Endpoints with security incidents can be immediately isolated, thus preventing threats from spreading across the network.

Endpoints authenticate through Sophos Central. Endpoints must run the Endpoint Protection agent, which the Sophos Central administrator provides. The Endpoint Protection agent ensures that the endpoints belong to the organization and have permission to access the network. These endpoints send updates at regular intervals about their health status to Sophos Firewall, which applies the defined policies based on that information.


Sophos Firewall communicates with the Sophos Central IP address,, on port 8347.

To use this feature, register this firewall with Sophos Central.


This feature requires the Network Protection subscription. You can configure the feature but can't use it without a valid subscription.

The Security Heartbeat widget on the Control center page provides information about the health status of endpoints.

Configure the missing heartbeat zones when you turn on Security Heartbeat. Regulate traffic based on heartbeat information in the Advanced section of user/network firewall rules.

For Security Heartbeat to work correctly, the following conditions must be met:

  • There's no traffic routed through a VPN tunnel before the heartbeat connection has been established. Otherwise, the heartbeat traffic will also be routed through the VPN tunnel, the firewall can't see the heartbeat traffic and it marks the endpoint as missing. When the endpoint is in the Missing status, all traffic through the firewall from this endpoint is blocked.


    Sophos Connect can send the heartbeat messages generated by a Sophos endpoint if the connection policy allows the heartbeat messages to be sent through VPN. To configure this, go to Remote access VPN > IPsec on your firewall. Under Advanced settings, select Send Security Heartbeat through tunnel.

  • The endpoint must not be located behind an intermediate router. Otherwise, a missing heartbeat can't be detected. This leads to false results. The endpoint still shares its health status.

  • The router must not be a NAT gateway. Otherwise, endpoints can't share their health status with Sophos Firewall.

Synchronized user ID authentication

When a user signs in to an endpoint, Security Heartbeat sends a synchronized user ID containing the domain name and username to Sophos Firewall. Sophos Firewall checks the user account with the configured Active Directory server and activates the user.


You don’t need to install an agent on the server or user devices. Sophos Firewall doesn’t share or use the password.


Currently, the following conditions apply:

  • Works only with Active Directory authentication.
  • Works with Windows 10 and later.
  • Won’t recognize local users.