I had a question about Sophos Heartbeat issue. I am attaching the network diagram. In short, there is a central firewall (XG) and all the branch firewalls (XG) are connected via MPLS as a WAN ( they get their internet from the central firewall ) . All branches and the central firewall all have endpoints which are installed with the CIXA ( only one central account for all the firewalls and branches ). We have synchronized each of the branch firewalls with the single central account. My question is, is it possible to see ALL the branch endpoints to send their heartbeat status to the central firewall ONLY. We dont mind de-registering the branch office firewalls for synchronized security. Is this possible ?
Having run a setup similar to this i can say yes it does work, be aware you will need to turn off the heartbeat on the branch XG's so it gets passed through, this IMHO defeats the point of the heartbeat and so a revised setup with the heartbeat going to the branch XG's and then having a VLAN for WAN traffic and VLAN for site to site routed traffic between the XG's . This allows for the branch sites to be able to keep heartbeat and also allow for local isolation using the heartbeat, allows for isolation on the any machines on the actual site. bit more config to do but it works and spreads the load for Heartbeat, authentication, web proxy etc
Heartbeat will be establish between the Client and the first XG, which answers the HB IP.
Endpoints and XG Firewall communicate through an encrypted TLS connection over the IP address 126.96.36.199 on port 8347.
So if you route this traffic properly, the correct XG will answer.
XG will intercept this traffic.
Same for VPN Technologies like SSLVPN/ IPsec.
There are couple of feature request to have multiple XGs connected to one Endpoint at the same time, but it is not easy to implement.
Couldnt get this info out of support when we first tried using the heartbeat so had to switch it off on the branch XG's initially, but if you passing through the heartbeat to another XG it kind of defeats the point of it IMHO as you want to stop the traffic at the earliest point which would be the branch XG's
Hello Jim and Lucar,
I seemed to have got the scenario wrong.
The actual scenario is that there are NO Sophos XG firewalls in the branch office. Instead there are Fortigate Firewalls and there is a MPLS connection ( Used as a WAN) between Fortigate and one Centrally located Sophos Firewall ( Which has the central registration )
So now in this scenario will heartbeat connectivity be seen in the Centrally located Firewall ?
This should work fine.
But the fortigate should not NAT anything. (SNAT / Masq for example).
That is important.
And WAN will not work as a destination for Heartbeat. The MPLS should be another zone.
You used WAN because you want to use the Fortigate as a default gateway?
Or just because you consider a MPLS as a WAN Zone? Because from my point of view, a MPLS is more likely a DMZ / own zone, not WAN.
Do not forget, sometimes / most likely, the MPLS is not encrypted at all. So it would be necessary to actually put a IPsec or something like that over the MPLS.
Some off topic reading: https://networkengineering.stackexchange.com/questions/3766/mpls-vs-encrypted-vpns-traffic-security
Hi Lucas, the MPLS port on Sophos Central Firewall is configured as a MPLS ( LAN ) and on the other end fortigate firewall it is a WAN port. So for the branch, internet is the MPLS link.
On Sophos firewall there will be a rule ( MPLS - WAN )