Security Heartbeat 52.5.76.173

Question

Hi community, I've just seen " Endpoints and Sophos Firewall communicate through an encrypted TLS connection over the IP address 52.5.76.173 on port 8347. " security heartbeat documentation. ( https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/SophosCentral/SecurityHeartbeatOverview/SecurityHearbeat/index.html ) Do we need to create a firewall-rule to allow LAN to WAN traffic for 52.5.76.173 and port 8347? Or does ip 52.5.76.173 get some special treatment like magic-packet ip 1.2.3.4 and those packets are terminated at firewall and not really being forwarded to wan? So is this ip used for communication between firewall<->endpoint or between firewall<->central and endpoint<->central? Please share some information, how traffic is handled. Thanks in advance!

Vivek Jagad · Accepted Answer

Hi FFin ,

Thank you for reaching out to the community, yes you understood it correctly.

> The Endpoint uses the Network Threat Protection service (which comes with the anti-virus product) to send its heartbeat to a magic IP 52.5.76.173 and port number 8347.
> This traffic will hit the XG and the XG will take note of the endpoint’s heartbeat status then respond back to the endpoint
> Now the XG will know if the endpoint is red, yellow, or green status and enforce restrictions based on the firewall policy’s heartbeat settings.