Good morning all, I am beginning to have a serious issue with our PC's since moving over to Sophos Intercept X Advanced. I am beginning to have PC's stop sending their Heartbeat, Sophos Central shows the PC as no longer sending a heartbeat and I believe what happens is the system goes into a protected mode, preventing the PC from having any network access, actually preventing its IP so my network icon immediately changes from connected to no connection. Most of the time the PC's are bouncing back and resume sending the heartbeat without any intervention on my part.
However some are not bouncing back and left in this disconnected state until, I manually assign an IP address to get the heartbeat back then I can simply reset the network card back to DHCP. This is beginning to be a serious issue, as yesterday this happened to 3 PC's and today I just back from our other plant because of the same issue on another PC.
Any users experienced something similar? Intercept X is managed through Sophos Central as well we do have a Sophos XG firewall that ties everything together. I have reached out to Sophos support but in the meantime if anyone has some suggestions to possible look at, please let me know, I'm at a loss as to why this is happening, if it's a bug, I'm not sure.
Think of it this way:
SFOS will protect from infections spreading between network segments that have to transverse it to talk to each other.
Isolation protects from infections spreading inside a network…
Oh I should also add before someone asks, when Sophos Central reports the device as no longer sending a heartbeat, I do acknowledge the event to allow the PC status to go back to green because my firewall rule does have the Security heart enabled on the PC must at least have an amber status or greater to maintain its network connection.
Heartbeat can periodically not be sent when services are starting up/recycling or any other network interruption. Also, at reboot, the services don't start in a set order so the network elements could start up before Health does and therefore there is no Heartbeat to send. In general, the endpoint itself isn't stopping the traffic - it is the firewall that is dropping the traffic. Is this traffic bound for an external resource or an internal one?
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thank you for the reply, all traffic is blocked, the PC no longer has a network connection period, it can't be pinged, restarting the device does nothing, it stays in a blocked state completely. Until I manually assign another IP address does the PC become pingable again. Once it notices the heartbeat, all traffic is resumed. These PC's have been on this firewall now for 4 years, with another anti-virus product, zero issues. Since moving the PC to Intercept X, allowing the PC to basically self quarantine itself in the policies and changing the heartbeat requirements on the main firewall rule has this become an issue so it is definitely since making these changes. Had another PC today that its heartbeat stopped sending on Friday at 5.30pm, I had to go over to the plant with the PC today, manually assign its IP, allow the heartbeat the resume, and put back on DHCP to get it communicating on the network again, it does not bounce back on it's own.
Okay, that isn't Heartbeat. Do you have Device Isolation turned on in your Endpoint policy?
unless your DHCP server is beyond the firewall from the machine. What is the network topography?
Thank you RichardP , I do have Device Isolation turned on under the Threat Protection Policy on the Endpoint.
Our topography would be considered the standard star topography. The firewall, dhcp server, PC's all communicate amongst themselves.
I have turned off Device Isolation to monitor over the next few days, I assumed it was necessary to have this enabled, in case of a PC possibly being compromised and then preventing any lateral movement through the network.
try turning that off and see if the issue goes away - if it does then you might want to consider re-eval of that policy. In essence, it is meant for high priority machines/network segments and when you turn it on you are saying you accept the risk of interruption to service because you are more concerned about lateral movement of a compromise to high-priority systems.
Thank you RichardP, really appreciate your input. I will see how it goes til midweek because I normally would see the condition on at least a couple of PC's between then and now.