New Sophos Support Phone Numbers in Effect July 1st, 2023

Sophos Firewall reported computer not sending heartbeat signals

Since November an increasing number of endpoints is reported from Central with "Sophos Firewall SN reported computer not sending heartbeat signals"

We upgraded our HQ XG from 18.5.4 to 19.0.1 on  Nov 12th but the issue started already before as you can see from the screenshots.

Before that, we only received this alerts occasionally.  Sometimes the message comes multiple times per day for a machine, then a few days no message is created even if the computer is still in use.

What is the issue here?

Central Region is Central Europe

One Computer:



Added TAGs
[edited by: Qoosh at 11:24 PM (GMT -8) on 12 Dec 2022]
Parents Reply Children
  • Support tech found this which is what I already posted above: (modern) standby causes those issues.
    Asking me to disable standby, which is not a desired workaround.

    We've already had a case open in 2021 with SFOS 18.0.5: 04121743  Endpoints reporting "at risk"to XG firewall but Sophos Central showing no issues.

    Support tech wrote there: "I believe from the logs you have provided, I do see that it went from a green connected state to a red missing heartbeat state multiple times back to back. This occurs when heartbeat traffic from the device is no longer sent to the firewall, typically after the machine enters sleep/wakes from sleep or gets disconnected.

    I believe that the endpoints were having issues connecting or enters sleep/wakes from sleep very quickly that the updates were not relayed to central in time therefore it didn't show up there."

    2023-03-28T13:58:53.665Z [ 5156: 5160] I Received Screen Off notification: Endpoint entering Modern Standby


    2023-03-28T13:58:58.229Z [ 4800: 6088] D Failed to connect: system:10065.
    2023-03-28T13:58:58.229Z [ 4800: 6088] D + Connection::OnConnectError()
    2023-03-28T13:58:58.229Z [ 4800: 6088] A Connection failed.

  • After several test we can confirm the statement from Tech Support, that Sophos Heartbeat is not compatible with Modern Standby feature of Windows and / or modern Computers.

    So as customer you have 2 choices to get this worked around:

    1. Disable modern Standby on the OS of all your client computers:

        cmd
        powercfg /a
        should report s0 is enabled. s0 is modern standby
    
        regedit
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power]
        New > DWORD (32-bit) Value.
        PlatformAoAcOverride with the value 0
        reboot
        
        cmd
        powercfg /a
        should report s3 is enabled. s3 is classic standby

    2. disable the mail notification about missing heartbeat in sophos central, and ignore all the alerts that appear on the dashboard through out the day and continue to use the modern standby on the client computers.

    Both workarounds are bad ones.

    Sophos should get Heartbeat be compatible with current computers and operating systems.

  • final statement, I received from support.

    feedback from our Product management team and they have stated- "we do have a roadmap item to improve modern standby behavior, but at this time there is no commitment as to when it would be delivered."

    so it may, hopefully, get better sometimes.