Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This article provides the FAQ for Synchronized Security features in SFOS version 17.5. The following sections are covered:
Applies to the following Sophos products and versions Sophos FirewallCentral Endpoint Intercept X
The easiest way to describe it is that Security Heartbeat is able to isolate infections at the firewall and now with Lateral Movement Protection isolate at the endpoint level as well.
Security Heartbeat conditions in firewall rules have been a Synchronized Security feature of the XG Firewall since it was introduced, enabling the firewall to isolate compromised devices with a red or yellow Heartbeat from other parts of the network at the firewall. For example, by adding Heartbeat conditions to firewall rules, administrators can automatically isolate an endpoint from the WAN (Internet), DMZ (Servers), or other zones and segments of the network connected through the firewall.
Lateral Movement Protection extends this feature by also informing all healthy endpoints to further isolate a compromised device at the endpoint. This has the added benefit of working on the same network segment also known as a broadcast domain or subnet where endpoint computers are typically connected together through a switch. Lateral Movement Protection can dramatically reduce the exposure to threats spreading within the network.
Both features isolate endpoints automatically and restore connectivity when the health of the affected device returns to normal.
By integrating our firewall and endpoint products together, they can share health, status and other important security information through a continuous Security Heartbeat™ connection. That enables both products to use this shared telemetry to respond to an active adversary or threat on the network. When any kind of attack is detected, the endpoint Heartbeat status changes, and triggers an automated response that has the firewall coordinating and synchronizing a defense.
Not only will the firewall cut-off network access for the compromised device at the firewall, it will also advise all the healthy endpoints on the network to isolate and ignore all traffic originating from the compromised host. When a device has a red Security Heartbeat condition, the MAC addresses of all the device’s network interfaces are shared by the firewall to other endpoints which will utilize the Windows Firewall to block all traffic from those MAC addresses. The combined solution provides an adaptive micro-segmentation – at the individual endpoint level. And it doesn’t require any additional infrastructure or management, and has zero performance impact. It’s the ultimate emergency response strategy, for any network.
With the device self-isolation feature – the compromised device can use the local Windows Firewall on the client to isolate itself.
Lateral Movement Protection enlists your trusted devices to isolate any untrustworthy devices, ignoring all traffic from the untrusted device to protect themselves from any attacks or hacks it might try to instigate. Lateral Movement Protection is an essential tool to prevent the spread of threats or attacks since you can absolutely trust the healthy endpoints to do their part.
Lateral Movement Protection works on flat networks connected through a layer 2 switch or the firewall which is the vast majority of customer networks out there. It does not support isolation across different subnets or VLANs routed through a managed layer 3 switch. Support for this may be added in the future.
Synchronized User ID shares the domain user account information from the machine the user is logged into over Security Heartbeat with the firewall. The firewall then checks this against the configured AD server and activates the user. It only requires that the Active Directory server is configured as an authentication server in the XG Firewall. No agents are required on the server or clients. It does not share or utilize any password information. It does not work with other directory services, and it will not recognize “local” users.
Initially, they work only on Sophos Central managed Windows devices. Mac support will come in a future update to the Mac Sophos Endpoint client.
All of our Central Endpoint Licenses and Central Server Licenses support Synchronized Security.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.