Professional Documents
Culture Documents
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW2535: Getting Started with Security Heartbeat on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
10 minutes
In this chapter you will learn what Security Heartbeat is, and how to enable it to help protect your
network.
Sophos Security Heartbeat provides intelligent communication between endpoints that are
managed in Sophos Central and the Sophos Firewall so that they can coordinate their response to
threats.
The computer sends a small regular heartbeat to the Sophos Firewall to identify itself and show
that it is still active and protected.
When an event occurs, such as a malware detection, information about the event is shared with
the Sophos Firewall.
The computer announces its health status to the Sophos Firewall, which can be either GREEN,
YELLOW or RED.
If the Sophos Firewall detects an advanced attack, it can request additional details from the
endpoint such as the process name.
The Sophos Firewall can use the heartbeat and health information from endpoints to control
access to hosts and networks.
If a computer has a GREEN status, this means that the Endpoint Agent is running (so the computer
is protected) and no active or inactive malware or PUAs, or potentially unwanted applications,
have been detected.
If the computer has a YELLOW status, the Endpoint Agent is running so the computer is still
protected, but inactive malware or a PUA has been detected. It can also indicate that the endpoint
agent is out of date
When a computer has a RED status, it can indicate that the Endpoint Agent may not be running, so
the computer may not be protected. Alternatively, it could mean that active malware has been
detected or malware that has not been cleaned up, malicious network traffic has been detected, or
communication to a known bad host.
Computers must be connected to the local network or to the Sophos Firewall via a VPN
Sophos Central brokers the trust between computers that it manages and Sophos Firewalls that are
registered with it. Sophos Central will provide the certificates required to the computers and
Sophos Firewall to be able to communicate.
The computer will initiate a connection to the Sophos Firewall, and if it is a computer that is
managed by the same Sophos Central account a two-way communication channel is established.
Please note that Security Heartbeat is only supported when computers are connected to the local
network, or to the Sophos Firewall via a VPN. Security Heartbeat is not supported in the WAN
zone.
Internet
PROTECTED PROTECTED
Sophos Firewall
Let’s look at what would happen if malware is detected on a computer with Security Heartbeat.
When malware is detected on the computer, Security Heartbeat will send event information and its
new health status to the Sophos Firewall.
Sophos Firewall can then prevent the compromised computer from connecting to other computers
or servers, protecting them from possible infection.
Once the Sophos Endpoint Agent has cleaned up the malware; Security Heartbeat will send its
updated health status to the Sophos Firewall, and the firewall can allow it to access hosts and
networks as normal.
In this example Sophos Firewall can protect computers where the traffic must pass through the
firewall, but what about where computers are connected via a switch?
Sophos Firewall
Switch
PROTECTED PROTECTED
Let’s consider the same scenario, but this time look at the computers that are connected to the
same section of network as the laptop that has detected malware. The computers on this section
of the network can communicate with each other without the traffic passing through the Sophos
Firewall.
In this scenario when the Sophos Firewall receives a red health status for laptop B it shares the
MAC address of laptop B with all of the endpoints it has a heartbeat with.
The computers can use the MAC address to drop traffic from the computer with the RED health
status. This is done by the Sophos Central software and has to be enabled in Sophos Central.
Currently, only Windows endpoints will drop traffic based from computers with a red health status.
It is important to note that because this relies on the other computers being able to see the MAC
address of computer with a red health status, this would not work if we replaced the switch with a
router.
[Additional Information]
Lateral movement protection is enabled and configured in Sophos Central in Global Settings >
Reject Network Connections.
information
3. Endpoint reports back
Process
2. Sophos Firewall sends additional information to
message to endpoint to the Sophos Firewall
change its health status to
red
Laptop
So far, we have only looked at the red health status being triggered by something being detected
on the endpoint, but the Sophos Firewall can also inform the endpoint when it has detected
something that requires the laptop to have a red health status. This can be either a call home to a
command-and-control server or because the endpoint has triggered an IPS rule.
To start using Security Heartbeat the Sophos Firewall needs to be registered with the same Sophos
Central account that is used to manage the protection on the computers.
Registration is completed in SYSTEM > Sophos Central. You can either register the firewall using a
one-time password or the username and password of a Central admin.
To create a one-time password in Sophos Central, navigate to the Firewall management section,
then MANAGE > Firewalls.
Click Add Firewall, then select join a firewall that is already configured. Enter the serial number of
your firewall and click Next. Click Copy OTP code and finish.
In Sophos Firewall, choose to register using a one-time password, then paste in the code and click
Register.
Once enabled you can optionally configure which zones you want to detect missing heartbeats for.
A missing heartbeat is a computer that has established a heartbeat in the past but is no longer
sending a heartbeat. This could indicate that the protection software has been disabled.
In the Control center you can see how many devices have established a heartbeat with the firewall
and their current status.
With the Sophos Firewall registered with Sophos Central, endpoints will start to establish a
heartbeat. There will be a short delay before this happens while they download the required
certificates.
For the Sophos Firewall to start controlling network access based on a computer’s heartbeat status
you need to enable the restrictions in your firewall rules.
Restrictions can be configured for either the source, destination or both, and are configured to set
the minimum required health status; green, yellow or no restriction.
You can optionally require computers to have a heartbeat. This means that any device not running
Sophos Central will not be able to meet the requirement. This can be used to block unknown
devices on the network.
Please note that destination restrictions cannot be applied to computers in the WAN zone.
https://training.sophos.com/fw/simulation/Heartbeat/1/start.html
In this simulation you will register Sophos Firewall with Sophos Central and enable Security
Heartbeat in a firewall rule. You will trigger a RED health status and confirm the device is blocked.
[Additional Information]
https://training.sophos.com/fw/simulation/Heartbeat/1/start.html
The Security Heartbeat is established between the Sophos Central managed endpoints
and the firewall. Sophos Central brokers trust between the endpoints and firewall so
they must be registered to the same Sophos Central account
Traffic from endpoints with a RED health status can be blocked if it is passing through
the firewall. To prevent lateral movement, the firewall will share the MAC addresses of
devices with a RED health status with all other devices it has a heartbeat with
Security Heartbeat must be configured in firewall rules to set a minimum health status
for source and destination. Optionally, you can select to require a heartbeat
Here are the three main things you learned in this chapter.
The Security Heartbeat is established between the Sophos Central managed endpoints and the
firewall. Sophos Central brokers trust between the endpoints and firewall so they must be
registered to the same Sophos Central account.
Sophos Firewall can block traffic from endpoints with a RED health status if it is passing through
the firewall. To prevent lateral movement the firewall will share the MAC addresses of devices with
a RED health status with all other endpoints that it has a heartbeat with so they can drop the
traffic.
Security Heartbeat must be configured in firewall rules to set a minimum health status for source
and destination. Optionally, you can select to require a heartbeat.