Is it possible to trigger Endpoint Heartbeat Signal?

Hi together,

to use Intercept X with heartbeat firewall policies sucessfully, we have to be able to ensure, that once a network device with endpoint protection connects to the network, the first thing that happens is, that the endpoint protection client sends a heartbeat signal, so that the firewall is aware of the devices green status and firewall policies that allow traffic, start matching.

In the following thread I am already discussing such a dependency in regards of SSL-VPN connections, where it clearly leads to issues, that the heartbeat signal sometimes takes minutes to be sent.

https://community.sophos.com/intercept-x-endpoint/f/discussions/123115/sophos-ssl-vpn-and-heartbeat---it-takes-some-time-to-connect

So simple question is: How can I trigger such a heartbeat signal manually? We need to find something like a scripted solution that fires upon any network changes on the devices maybe ideas from this post will help us: https://serverfault.com/questions/26056/how-can-i-run-a-script-when-my-network-connection-changes

I would indeed expect, that Endpoint Protection does this on its very own with Intercept-X in mind but as you can see in the other thread, it does not or at least too late.

If triggering reliable heartbeats on any network change is not possible, it pretty much renders the whole heartbeat/intercept-x concept unusable imho

because it will result in very unpredictable networking issues, when our 3000 devices randomly need to wait a few minutes to get access to the company network. Starting with missing network drives, continue messing with database connections of applications that would be executed before a heartbeat was sent (unlucky user) and leading to an incident hell, that noone wants to introduce in their network.

How is this system considered to be used in general? Anyone with a successful implementation out there? Would love to have a fruitful conversation around this topic.

Kind regards,

David



add link for scripts on network change
[edited by: DuS at 11:36 AM (GMT -7) on 29 Sep 2020]
  • Actually the Client should consider a Network change as a new Network and send data to the XG with changes. As it is essential to work with roaming devices (Wireless /Docking station) there should be a heartbeat after roaming. 

    You should be able to see this on a Client, looking in the logs of heartbeat.

    You SSLVPN issue could actually be generated by a problem within the network topology of Windows. The network interface of OpenVPN could actually causing trouble. 

    As the network changes, windows could send the heartbeat not to XG, instead into the tunnel, leading to a missing heartbeat and causing issues. 

    Did you check Sophos Connect 2.0 and how it interact with this? 

    __________________________________________________________________________________________________________________

  • Hi Lucar Toni,

    thanks for the hint with Sophos Connect 2.0 I was not aware of it. When I have some sparetime, I will do some testing. 2FA is a nice thing for SSL-VPN.

    BTT: 

    As the network changes, windows could send the heartbeat not to XG, instead into the tunnel, leading to a missing heartbeat and causing issues. 

    As far as I know it is esential to get Heartbeat to work with split tunnel, to send the heartbeat explicitly through the tunnel as mentioned in this guide:

    https://support.sophos.com/support/s/article/KB-000038254?language=en_US#Split-tunnel-configuration

    In the meantime, I found a way to trigger the endpoint update process with a script starting SophosUpdate.exe with -ManualUpdate.

    @ECHO OFF
    TITLE Sophos SSL-VPN Connect Script
    START "" /D "C:\Program Files (x86)\Sophos\AutoUpdate\" /WAIT /B SophosUpdate.exe -ManualUpdate -NoGUI -RootPath "C:\Program Files (x86)\Sophos\AutoUpdate"
    gpupdate /force

    The script is executed from taskscheduler when NetworkProfile Event ID 10000 is fired which is the case exactly in the moment, when SSL-VPN connects (including any other network interface) I am not 100% sure if this fixes all my issues but it is worth some additional testing.

    A short test with openvpn _up.bat script failed pretty hard.

    Also, the heartbeat log of my client is pretty messy for some reason.

    a 2020-09-29T14:32:22.056Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:22.058Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:23.142Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:23.142Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:23.144Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:24.240Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:24.240Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:24.242Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:26.075Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:26.075Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:26.077Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:27.150Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:27.151Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:27.154Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:28.245Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:28.245Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:28.250Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:30.818Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:30.818Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:30.821Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:31.884Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:31.885Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:31.887Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:32.961Z [4712:12592] - Connection succeeded.
    a 2020-09-29T14:32:32.961Z [4712:12592] - Connected to '64b4d29d-c000-4894-81f6-c4eddb4a92d1' at IP address 52.5.76.173 on port 8347
    a 2020-09-29T14:32:32.963Z [4712:12592] - Connection closed (network error).
    a 2020-09-29T14:32:35.203Z [4712:12592] - Connection succeeded.

    Maybe I still have to open another regular ticket.

    Can you confirm, that such a call of SophosUpdate.exe will reliably trigger Heartbeats?