I have been working on increasing network security and implemented firewall rules that block access to the internet by workstations if they don't have a Heartbeat.
Of course we have the "chicken and egg" situation, how is the Heartbeat registered if there is no internet connection, which there won't be, if there is no Heartbeat? I had expected to have to add a firewall rule to 220.127.116.11 on port 8347 but experimentation showed this wasn't necessary. The observed behaviour is after switching a workstation on, I get internet access after about a minute. I assume therefore that this traffic is allowed through XG whatever the firewall configuration. This seems to be further confirmed by the fact that even when I have a firewall rule, no traffic is logged against it.
Can somebody please confirm that this understanding is correct? Heartbeat traffic is never blocked by an XG, whatever the firewall rules?
This all seemed fine until I hit an unrelated problem with my XG. Licence sync managed to break and from posts in the community it seemed the easiest way to fix this was to reinstall the OS and restore a backup (thanks LuCar Toni for the solution). Sophos Central didn't recognise the XG as the same firewall (presumably because it had been re-registered) so I removed it and added it back in. This was when the fun started.
The workstations then wouldn't connect to the internet, however long I left them. I wanted to check their Heartbeat status but I can't actually find anywhere that shows which workstations have a live heartbeat. If you click on the console widget it tell you there are 'X' connected but doesn't actually list what those connected workstations are. Where can you get this info?
I removed the requirement for Heartbeat to be able to access the internet but that made no difference. I then tried switching a laptop to our guest wifi which has no firewall rules and this then seemed to fix the issue because when I switched back to the internal network, everything worked as expected. For non-laptops I had to workout what was different with out guest wifi as I couldn't connect the PCs to that network to fix the issue. In then end I found that I had to allow DNS access to get the Heartbeat to work (access to DNS also normally requires a Heartbeat so I had to disable this).
So, to re-establish Heartbeat in this scenario, the workstations needed DNS as well as internet access, so it doesn't appear that it just requires access to 18.104.22.168 on port 8347. Some sort of DNS lookup is required.
Can anybody please explain what is going on and how Heartbeat makes its connection? And how do I actually see which workstations have a Heartbeat?
It is simple: Heartbeat is not a Client to Central Connection.
Instead the Client talks to the IP of Central (Internet IP) but the Firewall will intercept and talk to the Client instead.
You can observe…
You can observe this via tcpdump / packet capture on the firewall. The client actually does not communicate to the internet with this IP. Therefore you do not need any sort of firewall rule what so ever to allow this traffic.
This is the reason, HB will still work, even if there is no internet connection active (outage etc.).
But: You need to make sure, the Internet Traffic (or at least this IP) is actually going to the Firewall and not taking another route (for example a Layer3 switch is routing the traffic to another gateway).
You can see the connected clients in the logviewer under heartbeat section.
Thanks for the explanation LuCar, yes it is quite simple BUT why could I not get Heartbeat back when I reinstalled my XG and re-registered it with Central Connection? It would only work after I allowed each workstation access to a DNS server but according to the way it works, that shouldn't be required (assuming it is making an IP connection to 22.214.171.124. This wasn't just an anomaly with one workstation, it affected them all.
Also, you can't really see connected clients in logviewer. That only shows when Heartbeat is connected or lost. It doesn't show the workstations currently with a heartbeat. If the console tells me I have 8 active Heartbeats I can't see what those 8 are. The logical think would be to just click on the widget but this shows you nothing.
If you deploy the firewall into Central, it will generate new certificates for all players (Firewall and Endpoints). So the endpoint will fetch there new certificate from Central and the firewall will fetch the CA.
If this process did not work, it will fail to communicate (The client will simply refuse to talk to the firewall). The DNS server makes sense to me, because the fetching of the certificates need actually internet access "once". If this was not possible in that time, it will not work to get new certificates.
That explains what I was seeing. Thanks for the explanation LuCar Toni