This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Devices on Red Health

Hi,

I'm looking to turn on the policy isolate devices on red health, but i just want a better understanding of troubleshooting options before i do so.

For instance, i have one devices currently on red health as a services is missing.

I've found the below steps to follow, however, i am geographically separated from the device.

So, if the device is isolated, i cannot remote to it, and i can't exactly call a user and give them admin passwords to do this stuff.

What are my options for this kind of incident, and what best practices do fellow technicians follow in cases like this?

Appreciate any answers, thanks



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi,

    There are exclusions that you can put into the isolation to allow specific ports and IPs in or out. 

    In your case, you would create an exclusion that allows your admin IP in on whatever port you are connecting to on the client (RDP or SSH) This means that the isolation would not cut off your remote access to the target. 

  • Are they ever going to have it so that secure channel is still maintained thru Sophos Central? I have had similar issues since our company moved to Intercept X back in May and have an ongoing ticket with Sophos trying to figure out why the our PC's randomly  loses its ability to be assigned an IP thru DHCP. Unlike Mitchel who is offsite, my solution has been to manually go on to the PC and statically assign an IP to allow communication to flow, once it flows I can then move the PC back to DHCP. I am pretty sure the software does state the machines with red health still maintain its connection to SC but this is not the case if the device will not have an IP address so manual intervention has been necessary.

  • FormerMember
    0 FormerMember in reply to SophosNewby

    In Isolation - all network traffic in and out is blocked. So, to confirm, this issue should only happen if the DHCP lease expires during the isolation. If you want to allow the isolated endpoint to negotiate a new lease - you would need to add an exclusion for isolation to the DHCP server on the applicable ports (67 / 68)

  • Yes and that makes sense, however Sophos explicitly states and I quote "You can still manage the computer from Sophos Central when it is isolated." This however is not the case, if it were then remediation could occur thru Sophos Central so remote devices, local devices would all be hands off to bring back to a healthy state. Am I misunderstanding the documentation? 

  • In my case the only resolution we have come up with to avoid the issue is I have had to turn "Security Heartbeat" to no Restriction to overcome the problem. Our PC's were randomly going into Red Health for no apparent reason, there were no detectable problems, the PC would freeze its DHCP negotiation, sending a red health status back to SC. By turning off the firewall rule security heartbeat to No Restriction has solved this issue and when a real anomaly is detected on the PC it still then self isolates.

  • FormerMember
    0 FormerMember in reply to SophosNewby

    this sounds that you are using an SFOS as well.

    Do you have one of our firewalls?

  • FormerMember
    0 FormerMember in reply to SophosNewby

    Okay, there is a difference between the Endpoint Isolation feature and the Health Requirement in the firewall rules.

    On the endpoint, Isolation will block all traffic except to defined exclusions and to Sophos Central at the endpoint when in RED health.

    On the firewall, if you set to block traffic when RED health on an endpoint or for NO heartbeat - all traffic from that endpoint is dropped - so if the DHCP server is in a different network segment and the endpoint has to transit the SFOS to get there - then goes RED - all traffic will be blocked. This is because the SFOS is a perimeter device and you don't want to have compromised endpoints exfiltrating data or contacting remote CnC servers.

    You should have a separate higher rule in the SFOS that allows all traffic to the DHCP servers regardless of endpoint health.

  • Thank you, I've not heard of that separate higher rule for DHCP, interesting.