In a nutshell:
Is it possible for firewalls across an estate to share information about endpoints' HeartBeat status (and user ID)?
Consider the following scenario:
A Head Office XG has firewall rules that require a minimum HB status for devices (e.g. to protect a File Server).
A Branch XG sends traffic over a RED tunnel to the HO; but also has local security HB rules (e.g. to protect a NAS device used for storing branch users' files).
There are PCs with Sophos endpoints (HB) at a Branch site that need access to both the Branch NAS and HO File Server.
The HO and Branch XGs are registered with Sophos Central for management.
Basically, I'm looking to replace a classic "HO to Branch RED" scenario; to take advantage of SD-WAN and local network protection e.g. for cloud applications (rather than using a RED standard tunnel - or split-tunnel + a separate firewall).
When testing this, at the Branch site, if I turn on Central Synchronisation (HB, Synchronised Application Control & Management), then the Branch XG collects HB and shares it with Central; but the HO XG no longer recognises the endpoint (both HB and user-based rules fail).
If I turn HB & SAC off (leaving Management on), then the HB traffic flows through the RED tunnel to the HO XG, which recognises the endpoint and user... But then I wouldn't be able to use HB rules to protect local Branch assets.
Or am I missing something?
Further specific details:
At the moment, for this client we're using an HA A-P pair of XG210s at the HO & multiple REDs (in standard mode) for the branch offices; so all assets can be protected by HB rules (as the rules are all on the HO XG). We're considering replacing the REDs with XGs (86s or slightly bigger).
As well as not needing to backhaul all the traffic through the HO XGs, they would be able to repurpose the REDs for WFH users that need a hardware VPN solution.
This thread was automatically locked due to age.
