I'm currently running 3 test w10 machines behind Sophos XG firewall, that have Endpoint clients installed.

As a part of testing, I enabled heartbeat on the firewall policy to allow only green machines to be able to connect to internet.

Everything works fine and I commenced all kinds of testing on w10 machines from compromising sensitive data, trough malware etc.

Detection mechanism works very well and firewall does pick up HB stats change immediately and restricts access to the network.

Problems start with remediation.

So when the client gets infected, immediately sends out PUSH message to Sophos cloud and informs Sophos Endpoint central. This apparently gets intercepted by the firewall, and client stats changes to YELLOW. While minimum status I set to GREEN, client is restricted based on restrictions applied by concerned policies. Endpoint client cleans the infection by itself to fix the problem.

While on firewall, status of the client cannot be changed or tampered, on Sophos central, the alert does not appear for over next 15-20 minutes since PUSH is sent. After this delay, alert appears in logs, and can be acknowledged again it takes another 5-10 minutes, till endpoint client syncs and gets GREEN status and thus firewall releases applied restrictions.

HB settings are very granular over webGUI and looking into this over advanced shell, I cannot find any file-based config, since HB daemon is running from binary. Traffic between Sophos central and endpoint clients should be automatically allowed, but this traffic does not show on traffic logs, when I ran a pcap on the firewall, source w10 machine on port 8347 , connection status was shown as "consumed".

Does anyone know why these delays are so long? Is it a cloud load problem? - is there any way to speed this up?