I have been working on increasing network security and implemented firewall rules that block access to the internet by workstations if they don't have a Heartbeat.
Of course we have the "chicken and egg" situation, how is the Heartbeat registered if there is no internet connection, which there won't be, if there is no Heartbeat? I had expected to have to add a firewall rule to 188.8.131.52 on port 8347 but experimentation showed this wasn't necessary. The observed behaviour is after switching a workstation on, I get internet access after about a minute. I assume therefore that this traffic is allowed through XG whatever the firewall configuration. This seems to be further confirmed by the fact that even when I have a firewall rule, no traffic is logged against it.
Can somebody please confirm that this understanding is correct? Heartbeat traffic is never blocked by an XG, whatever the firewall rules?
This all seemed fine until I hit an unrelated problem with my XG. Licence sync managed to break and from posts in the community it seemed the easiest way to fix this was to reinstall the OS and restore a backup (thanks LuCar Toni for the solution). Sophos Central didn't recognise the XG as the same firewall (presumably because it had been re-registered) so I removed it and added it back in. This was when the fun started.
The workstations then wouldn't connect to the internet, however long I left them. I wanted to check their Heartbeat status but I can't actually find anywhere that shows which workstations have a live heartbeat. If you click on the console widget it tell you there are 'X' connected but doesn't actually list what those connected workstations are. Where can you get this info?
I removed the requirement for Heartbeat to be able to access the internet but that made no difference. I then tried switching a laptop to our guest wifi which has no firewall rules and this then seemed to fix the issue because when I switched back to the internal network, everything worked as expected. For non-laptops I had to workout what was different with out guest wifi as I couldn't connect the PCs to that network to fix the issue. In then end I found that I had to allow DNS access to get the Heartbeat to work (access to DNS also normally requires a Heartbeat so I had to disable this).
So, to re-establish Heartbeat in this scenario, the workstations needed DNS as well as internet access, so it doesn't appear that it just requires access to 184.108.40.206 on port 8347. Some sort of DNS lookup is required.
Can anybody please explain what is going on and how Heartbeat makes its connection? And how do I actually see which workstations have a Heartbeat?
It is simple: Heartbeat is not a Client to Central Connection.
Instead the Client talks to the IP of Central (Internet IP) but the Firewall will intercept and talk to the Client instead.
You can observe…