Have been working with support on this issue, and they cannot seem to find the issue.
We have seemingly random endpoints that do not have heartbeats with our firewall. This is causing odd traffic blocks on the affected endpoints due to the Network Threat Protection service.
For example, all endpoints that do not show a "Security Heartbeat Firewall" under summary in Sophos Central cannot download any files from Adobe.
The affected endpoints do not show up as "missing" in the firewall. The affected endpoints are not consuming licenses, either. For example, the firewall lists 265 endpoints with heartbeats, our license shows 270 endpoint licenses used, while our Sophos Central has over 400 devices.
I have been unable to find any differences in an endpoint with a heartbeat and one without. They have the same policies, etc. The only thing I know for sure is to check an individual device and look for "Security Heartbeat Firewall", if that's missing then I know it's affected.
Thank you for any recommendations.
Edit: I should add that these are Windows endpoints experiencing problems, and we are using Intercept X Advanced with XDR.
Edit 2: I tried removing endpoint from a PC, leaving the domain, and deleting it from AD/Sophos central. It still did not resolve my issue. I then reloaded the entire PC from scratch, and now I am getting a heartbeat. What can cause this? I don't want to reload every PC (around 100) with issues!
Things I have tried;
-Completely changing networks
-Disabling "Sophos Network Threat Protection" service in windows (this allows the blocked traffic)
Thanks for reaching out to the Sophos Community Forum.
Do you know if the endpoint devices can ping the IP address 126.96.36.199? This is the IP address that both the Endpoint and Firewall will reach out to, to communicate heartbeat information to Sophos Central.
I'd suggest checking the Heartbeat.log at "C:\ProgramData\Sophos\Heartbeat\Logs" as well to see if there are any errors generated on the endpoint. Feel free to send me a PM with the logfile if you'd like some assistance in looking into it.
Heartbeat logs can be obtained from the firewall by using the commands in the following article. - Sophos Firewall: Extract files from the firewall
Checking what is shown in the Sophos Firewall heartbeat logs at the time the endpoints try checking in may help. The files in question are listed under "Heartbeat" in the following article.- Log file details
Below is the solution from Sophos Support that works;
This update will also be included in the 2022.3 release of Sophos Core Agent. The release is expected to begin rollout in the next couple of weeks, though this is subject to change without notice.
If you find that a significant number of devices are affected on your environment, I'd suggest inquiring if your site can be moved to one of the earlier release groups.