Getting Started with Intrusion

Prevention on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
SF2505: Getting Started with Intrusion Prevention on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Intrusion Prevention on Sophos Firewall - 1

 Getting Started with Intrusion Prevention on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to enable and configure basic ✓ Using the Sophos Firewall WebAdmin to configure
intrusion prevention settings on policies
Sophos Firewall.

DURATION

10 minutes

In this chapter you will learn how to enable and configure basic intrusion prevention settings on
Sophos Firewall.

Getting Started with Intrusion Prevention on Sophos Firewall - 2

 Intrusion Prevention Overview

Intrusion prevention system (IPS) policies

Spoof protection

Denial-of-Service (DoS) protection

Intrusion prevention on Sophos Firewall has three parts:

• Intrusion prevention system, or IPS, policies that are applied to firewall rules to protect against
exploits and malformed traffic
• Spoof protection, which drops traffic that is trying to pretend to come from a different MAC or
IP address to bypass protection
• And denial-of-service DoS protection, which drops traffic that is maliciously trying to prevent
legitimate traffic from being able to access services

Getting Started with Intrusion Prevention on Sophos Firewall - 3

 IPS Policies
Detect and block malicious
and malformed traffic coming
into the network
SOPHOS FIREWALL

ATTACKER
SERVERS
Detect and block malicious
and malformed traffic coming
from computers on the
network

COMPROMISED COMPUTER

Let’s start with IPS policies.

IPS policies are a collection of rules to detect malicious and malformed data that can exploit
computers and servers. IPS policies are selected in firewall rules, so they can be used to protect
against attacks on traffic coming into the network, and traffic coming from compromised
computers on the network.

Getting Started with Intrusion Prevention on Sophos Firewall - 4

 Enabling IPS

Before you can configure and use intrusion prevention you need to enable IPS protection. This will
download the IPS signatures to the Sophos Firewall. Once the signatures have been downloaded,
they will be kept up-to-date.

If IPS is disabled via the switch, the IPS signatures will be removed after 30-day unless it is enabled
again.

Getting Started with Intrusion Prevention on Sophos Firewall - 5

 IPS policies are configured in:
Out-of-the-Box IPS Policies PROTECT > Intrusion prevention > IPS policies

Sophos Firewall comes with several predefined IPS policies, which can be found in PROTECT >
Intrusion prevention > IPS policies.

These policies cover most of the everyday scenarios that you would encounter on an average
network. You can edit the included policies or create new ones to meet your security needs.

Getting Started with Intrusion Prevention on Sophos Firewall - 6

 Creating IPS Policies

Maximum 15 characters

Optionally clone rules from an existing IPS policy

When you create a new IPS policy you give it a name, limited to fifteen characters, and a
description. You can then optionally select to clone the rules from an existing policy. This can save
a lot of time when building new policies. You have to save the policy at this point so that if you
have selected to clone rules they can be added. You can then edit the policy.

Getting Started with Intrusion Prevention on Sophos Firewall - 7

 Configuring IPS Policies

Drag and drop to order rules

The policy is made up of an ordered list of rules. Each rule contains one or more signatures and has
an action. You can change the order of the rules within the policy by dragging and dropping them.

Getting Started with Intrusion Prevention on Sophos Firewall - 8

 Creating IPS Policy Rules

Free-text filter

All filtered signatures or

selected signatures only

When you add or edit a rule you can quickly and easily select the desired IPS patterns by category,
severity, platform, and target type, with support for persistent smart filter lists that will
automatically update as new patterns are added that match the selected criteria.

For example, you can use the smart filter to select all signatures that relate to a specific
application.

You can choose to include all the signatures returned by the filters or only selected signatures.
Please note that if you choose only selected signatures the rule cannot update the included
signatures automatically.

Sophos Firewall includes the Talos commercial IPS signature library from Cisco. We augment the
Talos library with additional signatures as required to ensure optimal intrusion protection.

Talos is a highly respected network security analysis group working around the clock to respond to
the latest trends in hacking, intrusions, and malware… just like our own SophosLabs. So, this is a
great partnership that bolsters our IPS protection and provides more granular IPS policy controls.

Getting Started with Intrusion Prevention on Sophos Firewall - 9

 Creating IPS Policy Rules

Recommended action for the signature

At the bottom of the rule, you can select the action you want to take. One of these actions is
‘Recommended’. You will notice that each signature has a recommended action associated with it
that can be used, or you can override this with the action applied to the rule.

Getting Started with Intrusion Prevention on Sophos Firewall - 10

 Applying IPS Policies

Select an IPS policy for the firewall rule

Once you have created an IPS policy it needs to be selected in a firewall rule to be active. The
firewall rule you select will determine what traffic is checked, and the IPS policy will determine the
checks that are carried out.

Getting Started with Intrusion Prevention on Sophos Firewall - 11

 Simulation: Create an IPS Policy

In this simulation you will create an

IPS policy and apply it to a firewall
rule.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html

In this simulation you will create an IPS policy and apply it to a firewall rule.

[Additional Information]

https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html

Getting Started with Intrusion Prevention on Sophos Firewall - 12

 Spoof Protection

Drop packets that are not

from a trusted MAC address

Drop if source IP does not

match an entry on the
firewalls routing table Drop packets if source IP and
MAC do not match trusted
MAC address

If spoof protection is misconfigured, you

can lock yourself out of the Sophos Firewall

In addition to the protection that can be configured in IPS policies, there are denial of service (DoS)
and spoof protection services that can be enabled.

We will start with the spoof protection, which has three modes of protection that can be enabled
per-zone.
• IP spoofing – packets will be dropped if the source IP address does not match an entry on the
firewalls routing table
• MAC filter – packets will be dropped if the source MAC address is not configured as a trusted
MAC
• IP-MAC pair filter – packets will be dropped if the IP and MAC do not match with any entry in
the IP-MAC trusted list

The MAC filter cannot be enabled until at least one entry is added to the trusted MAC list.

In addition to these three modes, there is the option to restrict unknown IP on Trusted MAC. With
this option enabled, any traffic from an unknown IP address on a trusted MAC address is dropped.

Please note, if spoof protection is misconfigured you can lock yourself out of the Sophos Firewall!

Getting Started with Intrusion Prevention on Sophos Firewall - 13

 Spoof Protection

If spoof protection is misconfigured, you

can lock yourself out of the Sophos Firewall

In the spoof protection trusted MAC section, you can add MAC addresses that can be used with
the MAC filter. MAC addresses can be associated to IP addresses; this can either be set to none,
DHCP, or static. For static IP addresses you can enter multiple values.

Getting Started with Intrusion Prevention on Sophos Firewall - 14

 Denial of Service (DoS) Protection
View dropped packet
counters for each attack
type

A denial of service (DoS) attack is a method that hackers use to prevent or deny legitimate users’
access to a service. DoS attacks are typically executed by sending many request packets to a
targeted server, which floods the server’s resources making the system unusable. Their goal is not
to steal the information, but to disable or deprive a device or network so that users no longer have
access to the network services/resources.

All servers can handle traffic volume up to a maximum, beyond which they become disabled.
Attackers send a very high volume of redundant traffic to a system so it cannot keep up with the
bad traffic and allow permitted network traffic. The best way to protect against a DoS attack is to
identify and block such redundant traffic.

Here we can see the configuration for a SYN flood attack. You can set the allowed packet rate per
minute for each source and destination, as well as a burst rate for each source and destination in
packets per second.

When the burst rate is crossed, Sophos Firewall considers it as an attack and provides DoS attack
protection by dropping all the excess packets from the source or destination. The firewall will
continue to drop the packets until the attack subsides. Because the device applies threshold values
per IP address, only traffic from the source or destination will be dropped. The rest of the network
traffic will continue to be processed as normal.

You can view the counters for dropped packets on the DoS attacks tab.

Please note that DoS protection is applied globally to all traffic passing through the Sophos
Firewall.

Getting Started with Intrusion Prevention on Sophos Firewall - 15

 Chapter Review

Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and
denial-of-service (DoS) protection

IPS policies are an ordered list of rules. Each rule contains one or more signatures, and
signatures can be automatically selected for the rule using filters. Each rule also has an
action

To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to
a firewall rule

Here are the three main things you learned in this chapter.

Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and denial-of-
service protection.

IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures
can be automatically selected for the rule using filters. Each rule also has an action.

To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a firewall
rule.

Getting Started with Intrusion Prevention on Sophos Firewall - 20

Getting Started with Intrusion Prevention on Sophos Firewall - 21
 Enabling Advanced Threat
Protection on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Central
FW2525: Enabling Advanced Threat Protection on Sophos Firewall

April 2021
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Enabling Advanced Threat Protection on Sophos Firewall - 1

 Enabling Advanced Threat Protection on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to enable advanced threat ✓ The role of Advanced Threat Protection (ATP) in the
protection and review details of attack kill chain, blocking outgoing traffic to
detections. command and control servers

DURATION

5 minutes

In this chapter you will learn how to enable advanced threat protection and review details of
detections.

Enabling Advanced Threat Protection on Sophos Firewall - 2

 Advanced Threat Protection (ATP) Overview

Detect compromised devices on your network

Block access to command-and-control servers

Uses data from all enabled services on Sophos Firewall

If you have a compromised device on your network the Advanced Threat Protection, or ATP, on the
Sophos Firewall can help to detect it when it tries to contact the Internet.

ATP is a global configuration that monitors traffic and data from all enabled services on the Sophos
Firewall, including DNS and web requests, to detect and block access to command-and-control
servers.

Enabling Advanced Threat Protection on Sophos Firewall - 3

 Configuring Advanced Threat Protection

Log and drop

Log only

Exclusions

ATP is configured through a simple policy in PROTECT > Advanced protection.

ATP is enabled using the toggle slider at the top of the page.

The policy itself is a choice between either only logging detections, or logging and dropping the
traffic.

ATP is applied globally, so if you need to exclude specific devices or networks this can be done
here. You can also choose to exclude specific threats; however, we recommend only doing this
under the guidance of Sophos support.

Enabling Advanced Threat Protection on Sophos Firewall - 4

 Configuring Advanced Threat Protection

At the bottom of the page is the ‘Advanced security settings’ section. Here you choose whether
ATP inspects untrusted content, this is the default option, or all content.

Inspect untrusted content inspects traffic from untrusted sources or traffic going to untrusted
destinations only. This option gives the best performance.
Inspect all content inspects all content to and from both trusted and untrusted sources and
destinations.

While the difference between these two options is minimal, in high-traffic environments it may
become significant.

Enabling Advanced Threat Protection on Sophos Firewall - 5

 Advanced Threat Protection Alerts

There is a widget for ATP alerts on the Sophos Firewall Control center, which you can click to get
additional information.

Enabling Advanced Threat Protection on Sophos Firewall - 6

 Advanced Threat Protection Alerts

After clicking the widget, you will see this page that shows the detections, including the IP address,
hostname, and threat. You can further click through from this screen to the ATP report.

Enabling Advanced Threat Protection on Sophos Firewall - 7

 Advanced Threat Protection Report

Control Center

You can access the ATP report in Reports > Network & threats. Here you can see where requests
came from and where they were going to, which users made the requests, and what action was
taken, log or log-and-drop.

Enabling Advanced Threat Protection on Sophos Firewall - 8

 Simulation: Enabling Advanced Threat Protection

In this simulation you will enable

advanced threat protection, trigger
a detection, and review the
resulting information.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/Atp/1/start.html

In this simulation you will enable advanced threat protection, trigger a detection, and review
the resulting information.

[Additional Information]

https://training.sophos.com/fw/simulation/Atp/1/start.html

Getting Started with Intrusion Prevention on Sophos Firewall - 9

 Chapter Review

Advanced threat protection, or ATP, uses data from all enabled services on Sophos
Firewall to detect compromised computers on the network connecting to command-
and-control servers

ATP can be configured to either log, or log and drop traffic to command-and-control
servers

ATP can be configured to either inspect only content coming from untrusted sources or
going to untrusted destinations, or to inspect all content

Here are the three main things you learned in this chapter.

Advanced threat protection, or ATP, uses data from all enabled services on Sophos Firewall to
detect compromised computers on the network connecting to command-and-control servers.

ATP can be configured to either log, or log and drop traffic to command-and-control servers.

ATP can be configured to either inspect only content coming from untrusted sources or going to
untrusted destinations, or to inspect all content.

Enabling Advanced Threat Protection on Sophos Firewall - 12

Enabling Advanced Threat Protection on Sophos Firewall - 13
 Getting Started with Security
Heartbeat on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW2535: Getting Started with Security Heartbeat on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Security Heartbeat on Sophos Firewall - 1

 Getting Started with Security Heartbeat on Sophos
Firewall
In this chapter you will learn RECOMMENDED KNOWLEDGE AND EXPERIENCE
what Security Heartbeat is, and ✓ The role of Security Heartbeat in the attack kill
how to enable it to help protect chain, automatically isolating devices that have
your network. been compromised

DURATION

10 minutes

In this chapter you will learn what Security Heartbeat is, and how to enable it to help protect your
network.

Getting Started with Security Heartbeat on Sophos Firewall - 2

 Security Heartbeat
Intelligent communication between Sophos Central managed
endpoints and Sophos Firewall

Regular heartbeat sent to Sophos Firewall with current status

Notification sent to Sophos Firewall when events occur

Sophos Firewall can request additional information from endpoints

about processes accessing the network

Sophos Security Heartbeat provides intelligent communication between endpoints that are
managed in Sophos Central and the Sophos Firewall so that they can coordinate their response to
threats.

The computer sends a small regular heartbeat to the Sophos Firewall to identify itself and show
that it is still active and protected.

When an event occurs, such as a malware detection, information about the event is shared with
the Sophos Firewall.

The computer announces its health status to the Sophos Firewall, which can be either GREEN,
YELLOW or RED.

If the Sophos Firewall detects an advanced attack, it can request additional details from the
endpoint such as the process name.

The Sophos Firewall can use the heartbeat and health information from endpoints to control
access to hosts and networks.

Getting Started with Security Heartbeat on Sophos Firewall - 3

 Security Heartbeat Status

No risk – no action is required

Endpoint Agent is running
No active or inactive malware
No PUAs detected

Medium risk – action may be required

Endpoint Agent is running
Inactive malware detected or PUA detected
Endpoint Agent is out of date

High risk – action is required

Endpoint Agent may not be running/devices may not be protected
Active malware or malware not cleaned up, malicious network traffic (e.g., to a known
command and control network), or communication to a known bad host

Here you can see what each heartbeat status means.

If a computer has a GREEN status, this means that the Endpoint Agent is running (so the computer
is protected) and no active or inactive malware or PUAs, or potentially unwanted applications,
have been detected.

If the computer has a YELLOW status, the Endpoint Agent is running so the computer is still
protected, but inactive malware or a PUA has been detected. It can also indicate that the endpoint
agent is out of date

When a computer has a RED status, it can indicate that the Endpoint Agent may not be running, so
the computer may not be protected. Alternatively, it could mean that active malware has been
detected or malware that has not been cleaned up, malicious network traffic has been detected, or
communication to a known bad host.

Getting Started with Security Heartbeat on Sophos Firewall - 4

 How Security Heartbeat Works?
The computer must be managed by
Sophos Central

Computer Sophos Firewall

Sophos
The computer establishes a two-way The Sophos Firewall registers with Central
communication channel with the Sophos Central and gets a list of
Sophos Firewall managed computers

Computers must be connected to the local network or to the Sophos Firewall via a VPN

Sophos Central brokers the trust between computers that it manages and Sophos Firewalls that are
registered with it. Sophos Central will provide the certificates required to the computers and
Sophos Firewall to be able to communicate.

The computer will initiate a connection to the Sophos Firewall, and if it is a computer that is
managed by the same Sophos Central account a two-way communication channel is established.

Please note that Security Heartbeat is only supported when computers are connected to the local
network, or to the Sophos Firewall via a VPN. Security Heartbeat is not supported in the WAN
zone.

Getting Started with Security Heartbeat on Sophos Firewall - 5

 How Security Heartbeat Works?

Internet

PROTECTED PROTECTED

Sophos Firewall

Computers Laptop Servers

Let’s look at what would happen if malware is detected on a computer with Security Heartbeat.

When malware is detected on the computer, Security Heartbeat will send event information and its
new health status to the Sophos Firewall.

Sophos Firewall can then prevent the compromised computer from connecting to other computers
or servers, protecting them from possible infection.

Once the Sophos Endpoint Agent has cleaned up the malware; Security Heartbeat will send its
updated health status to the Sophos Firewall, and the firewall can allow it to access hosts and
networks as normal.

In this example Sophos Firewall can protect computers where the traffic must pass through the
firewall, but what about where computers are connected via a switch?

Getting Started with Security Heartbeat on Sophos Firewall - 6

 Additional information in
Lateral Movement Protection the notes

Sophos Firewall shares the MAC

address of computers with a red
health status

Sophos Firewall

Switch

PROTECTED PROTECTED

Laptop A Laptop B Laptop C

This is where lateral movement protection comes in.

Let’s consider the same scenario, but this time look at the computers that are connected to the
same section of network as the laptop that has detected malware. The computers on this section
of the network can communicate with each other without the traffic passing through the Sophos
Firewall.

In this scenario when the Sophos Firewall receives a red health status for laptop B it shares the
MAC address of laptop B with all of the endpoints it has a heartbeat with.

The computers can use the MAC address to drop traffic from the computer with the RED health
status. This is done by the Sophos Central software and has to be enabled in Sophos Central.

Currently, only Windows endpoints will drop traffic based from computers with a red health status.

It is important to note that because this relies on the other computers being able to see the MAC
address of computer with a red health status, this would not work if we replaced the switch with a
router.

[Additional Information]
Lateral movement protection is enabled and configured in Sophos Central in Global Settings >
Reject Network Connections.

Getting Started with Security Heartbeat on Sophos Firewall - 7

 Red Health Status from Sophos Firewall detection
Sophos Firewall

1. Sophos Firewall detects

call home or IPS rule is
triggered

Red health status

information
3. Endpoint reports back

Process
2. Sophos Firewall sends additional information to
message to endpoint to the Sophos Firewall
change its health status to
red

Laptop

So far, we have only looked at the red health status being triggered by something being detected
on the endpoint, but the Sophos Firewall can also inform the endpoint when it has detected
something that requires the laptop to have a red health status. This can be either a call home to a
command-and-control server or because the endpoint has triggered an IPS rule.

Getting Started with Security Heartbeat on Sophos Firewall - 8

 Registering with Sophos Central
SYSTEM > Sophos Central

To start using Security Heartbeat the Sophos Firewall needs to be registered with the same Sophos
Central account that is used to manage the protection on the computers.

Registration is completed in SYSTEM > Sophos Central. You can either register the firewall using a
one-time password or the username and password of a Central admin.

Getting Started with Security Heartbeat on Sophos Firewall - 9

 Registering with Sophos Central

To create a one-time password in Sophos Central, navigate to the Firewall management section,
then MANAGE > Firewalls.

Click Add Firewall, then select join a firewall that is already configured. Enter the serial number of
your firewall and click Next. Click Copy OTP code and finish.

In Sophos Firewall, choose to register using a one-time password, then paste in the code and click
Register.

Getting Started with Security Heartbeat on Sophos Firewall - 10

 Configuring Security Heartbeat
Register Sophos Firewall with Sophos Central
PROTECT > Central synchronization

Once enabled you can optionally configure which zones you want to detect missing heartbeats for.
A missing heartbeat is a computer that has established a heartbeat in the past but is no longer
sending a heartbeat. This could indicate that the protection software has been disabled.

Getting Started with Security Heartbeat on Sophos Firewall - 11

 Security Heartbeat Status

In the Control center you can see how many devices have established a heartbeat with the firewall
and their current status.

Getting Started with Security Heartbeat on Sophos Firewall - 12

 Configuring Security Heartbeat

Select Security Heartbeat restrictions in firewall rules

• Source and destination-based rules

• Set the minimum health status
• Optionally require a heartbeat

With the Sophos Firewall registered with Sophos Central, endpoints will start to establish a
heartbeat. There will be a short delay before this happens while they download the required
certificates.

For the Sophos Firewall to start controlling network access based on a computer’s heartbeat status
you need to enable the restrictions in your firewall rules.

Restrictions can be configured for either the source, destination or both, and are configured to set
the minimum required health status; green, yellow or no restriction.

You can optionally require computers to have a heartbeat. This means that any device not running
Sophos Central will not be able to meet the requirement. This can be used to block unknown
devices on the network.

Please note that destination restrictions cannot be applied to computers in the WAN zone.

Getting Started with Security Heartbeat on Sophos Firewall - 13

 Simulation: Getting Started with Security Heartbeat

In this simulation you will register

Sophos Firewall with Sophos Central
and enable Security Heartbeat in a
firewall rule. You will trigger a RED
health status and confirm the
device is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/Heartbeat/1/start.html

In this simulation you will register Sophos Firewall with Sophos Central and enable Security
Heartbeat in a firewall rule. You will trigger a RED health status and confirm the device is blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/Heartbeat/1/start.html

Getting Started with Security Heartbeat on Sophos Firewall - 14

 Chapter Review

The Security Heartbeat is established between the Sophos Central managed endpoints
and the firewall. Sophos Central brokers trust between the endpoints and firewall so
they must be registered to the same Sophos Central account

Traffic from endpoints with a RED health status can be blocked if it is passing through
the firewall. To prevent lateral movement, the firewall will share the MAC addresses of
devices with a RED health status with all other devices it has a heartbeat with

Security Heartbeat must be configured in firewall rules to set a minimum health status
for source and destination. Optionally, you can select to require a heartbeat

Here are the three main things you learned in this chapter.

The Security Heartbeat is established between the Sophos Central managed endpoints and the
firewall. Sophos Central brokers trust between the endpoints and firewall so they must be
registered to the same Sophos Central account.

Sophos Firewall can block traffic from endpoints with a RED health status if it is passing through
the firewall. To prevent lateral movement the firewall will share the MAC addresses of devices with
a RED health status with all other endpoints that it has a heartbeat with so they can drop the
traffic.

Security Heartbeat must be configured in firewall rules to set a minimum health status for source
and destination. Optionally, you can select to require a heartbeat.

Getting Started with Security Heartbeat on Sophos Firewall - 21

Getting Started with Security Heartbeat on Sophos Firewall - 22