This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoints not showing "Security Heartbeat Firewall" under summary

Have been working with support on this issue, and they cannot seem to find the issue.

We have seemingly random endpoints that do not have heartbeats with our firewall. This is causing odd traffic blocks on the affected endpoints due to the Network Threat Protection service. 

For example, all endpoints that do not show a "Security Heartbeat Firewall" under summary in Sophos Central cannot download any files from Adobe. 

The affected endpoints do not show up as "missing" in the firewall. The affected endpoints are not consuming licenses, either. For example, the firewall lists 265 endpoints with heartbeats, our license shows 270 endpoint licenses used, while our Sophos Central has over 400 devices.

I have been unable to find any differences in an endpoint with a heartbeat and one without. They have the same policies, etc. The only thing I know for sure is to check an individual device and look for "Security Heartbeat Firewall", if that's missing then I know it's affected.

Thank you for any recommendations. 

Edit: I should add that these are Windows endpoints experiencing problems, and we are using Intercept X Advanced with XDR.

Edit 2: I tried removing endpoint from a PC, leaving the domain, and deleting it from AD/Sophos central. It still did not resolve my issue. I then reloaded the entire PC from scratch, and now I am getting a heartbeat. What can cause this? I don't want to reload every PC (around 100) with issues!



This thread was automatically locked due to age.
  • Things I have tried;

    -Reinstalling endpoint

    -Completely changing networks

    -Disabling "Sophos Network Threat Protection" service in windows (this allows the blocked traffic)

    -Updating firewall

  • Hi Jo,

    Thanks for reaching out to the Sophos Community Forum.

    Do you know if the endpoint devices can ping the IP address 52.5.76.173? This is the IP address that both the Endpoint and Firewall will reach out to, to communicate heartbeat information to Sophos Central.

    I'd suggest checking the Heartbeat.log at "C:\ProgramData\Sophos\Heartbeat\Logs" as well to see if there are any errors generated on the endpoint. Feel free to send me a PM with the logfile if you'd like some assistance in looking into it.

    Heartbeat logs can be obtained from the firewall by using the commands in the following article. 
    - Sophos Firewall: Extract files from the firewall

    Checking what is shown in the Sophos Firewall heartbeat logs at the time the endpoints try checking in may help. The files in question are listed under "Heartbeat" in the following article.
    - Log file details

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Below is the solution from Sophos Support that works;

    1. Download the files: https://download.sophos.com/tools/WINEP-36891.zip
    2. Turn off Tamper Protection
    3. Extract the files from the .zip
    4. Open an Administrative mode command prompt
    5. Run: sc stop sntpservice
    6. Run: sc stop sntp
    7. rename c:\windows\system32\drivers\sntp.sys_old
    8. Copy sntp.sys (extracted) to c:\windows\system32\drivers
    9. Run: move "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNetFilter.exe" "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNetFilter.exe.original"
    10. Copy SophosNetFilter.exe (extracted) to C:\program files\sophos\sophos network threat protection\
    11. Run: move "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe.original"
    12. Copy SophosNtpService.exe (extracted) to C:\program files\sophos\sophos network threat protection
    13. Run: sc start sntpservice
    14. Open Regedit (Registry Editor)
    15. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentSet001\Services\Sophos Endpoint Defense\EndpointFlags
    16. Add a new DWORD called “modernweb.offloading.enabled” and set the value to 1.

  • This update will also be included in the 2022.3 release of Sophos Core Agent. The release is expected to begin rollout in the next couple of weeks, though this is subject to change without notice.

    If you find that a significant number of devices are affected on your environment, I'd suggest inquiring if your site can be moved to one of the earlier release groups.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids