Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 0 replies
  • Subscribers 39 subscribers
  • Views 340 views
  • Users 0 members are here
Options
Suggested

firewall blocks client due to heartbeat - while the HB status is green <1> - why?

LHerzog

Our firewall rules with block clients with no HB and green HB only enabled, blocked this client today during the HB status on the firewall was reported as green.

I cannot see a reason - any idea? I don't like to create special rules for this client. The users reports such issues from time to time, and every time I checked it, the problem was like described below.

What can we do to get this solved?

here we can see firewall rules blocked due to HB status:

  • hb_status="No Heartbeat"

The HB log shows

[2024-09-23 15:53:58.730Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <1> -> <3>
[2024-09-24 06:41:26.221Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <3> -> <1>
[2024-09-24 06:42:00.991Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <1> -> <5>
[2024-09-24 06:42:01.336Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <5> -> <1>
[2024-09-24 07:32:16.638Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <1> -> <5>
[2024-09-24 07:32:16.994Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <5> -> <1>
[2024-09-24 07:33:25.766Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <1> -> <5>
[2024-09-24 07:33:26.044Z] INFO EndpointStorage.cpp[26394]:119 endpoint_connectivity_cb - Connectivity changed for <27fde231-3860-4e3a-9d5b-d23d201bc43c>: <5> -> <1>

So between

06:42:01.336Z and

07:32:16.638Z

the HB status was 1 which is the "good" state. But during the whole time, the user was blocked by the firewall rules.

At 07:33:26Z / 09:33:26 CEST the issue was magically resolved. without doing anything.

the HB status flapped a few times between 5 and 1 and that all was good again.

The user/endpoint was allowed by the firewall.

That is frustrating.

Central events (note: today is Sept 24th)

        Sep 24, 2024 8:55 AM     Update succeeded    
        Sep 23, 2024 8:58 AM     Update succeeded    
        Sep 23, 2024 8:40 AM     Sophos Firewall X450xxx7E reported computer resumed sending heartbeat signals    
        Sep 23, 2024 8:09 AM     Sophos Firewall X450xxx7E reported computer not sending heartbeat signals    
        Sep 22, 2024 10:17 AM     Update succeeded

Client:

macOS Sonoma 14.7

Open Sophos Endpoint. Click About > Run Diagnostic Tool. Click Prerequisites. Check your permissions.

all permissions enabled



Added TAGs
[edited by: Erick Jan at 10:40 AM (GMT -7) on 24 Sep 2024]
Unfiltered HTML