This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted Heartbeat users showing up as "Live Users" next to VPN users

I have an XGS 3100 firewall.  In the Control Center, I see Connected Remote Users and Liove Users.  Everyone in the former group appears in the Live group, but the Live Users group contains one or more "Heartbeat" users.  I don't know why they are there and how can I prevent myself from seeing them?



This thread was automatically locked due to age.
Parents
  • Hello there,

    Good day and thanks for reaching out to Sophos Community and hope you are well.

    Have you tried purging the Security Heartbeat reporting? Under Reports>Custom Report Settings>Manual Purge - Select the duration From - Up To of you want to clear. Kindly try and let us know and if possible after the purge schedule a reboot and see if helps with this concern. 

    Thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks, Raphael.  I ran the purge but I would still like to understand exactly what a Security Heartbeat is.

  • Hello, 

    Does purging removed the heartbeat clients on the live users list? Do you have previously installed Sophos Central Endpoint on the detected machines? As per current design, if any endpoint has first got into missing heartbeat status (lost heartbeat connection but traffic from endpoint flows through the FW) and has been removed (non-existing), the status for that endpoint will continue to show in missing heartbeat state until that endpoint again connects back and thus purging might help in cleanup.

    Hope this info helps. Thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Security heartbeat is only generated by Sophos Endpoints that communicate with the Heartbeat IP

    52.5.76.173

    through the Firewall to Sophos Central. When the firewall is registered in Central, it can recognize the heartbeat of the client, it does some kind of man in the middle there, and then forwards it to Sophos Central.

    Heartbeat has nothing to do with user authentication.

  • I can report that purging does not solve my problem.  Here is a screenshot of what I typically see under Live Users:

    Why do I see some Heartbeat uses but not others?  and how can I stop seeing the Heartbeat users?

  • Hello there,

    Good day and thanks for the updates. Did you try to reboot the FW after the purge? and is you FW connected to your Central account? and If yes are there currently machines registered into you Central account? 

    Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks, Raphael, but purging did not accomplish anything.

  • Hello  

    Thanks for sharing an update. Could you verify if the user 'administrator@tse.local' is still on Sophos Central? and if yes could you try removing from the Central account? It would be under Sophos Central > People/Devices then delete the possibly unwanted user on Central and all other that still appear on Sophos Firewall then perform the purge and reboot again.

    If the issue would still persist after the above steps. I may recommend you to open a support ticket for this to be further investigated, you could refer this community thread on your ticket that would be created. Also, please share with us the CaseId via DM or by replying to this thread.

    Many thanks for your time and patience and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hello  

    Thanks for sharing an update. Could you verify if the user 'administrator@tse.local' is still on Sophos Central? and if yes could you try removing from the Central account? It would be under Sophos Central > People/Devices then delete the possibly unwanted user on Central and all other that still appear on Sophos Firewall then perform the purge and reboot again.

    If the issue would still persist after the above steps. I may recommend you to open a support ticket for this to be further investigated, you could refer this community thread on your ticket that would be created. Also, please share with us the CaseId via DM or by replying to this thread.

    Many thanks for your time and patience and thank you for choosing Sophos.

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
No Data