Network consists of Cisco enterprise switches and interVLAN routing happens in a core switch statck.
Links secondary stacks and to servers are PortChannel groups on 10G media. Uplink to Firewall is 1G on the default VLAN as internet traffic is secondary to the primary business traffic between their servers, manufacturing equipment and end users.
In current activities, 3 users are identified (off of VLAN 501). Another 12 or so are IPsec remote access VPN users. The other remaining 170 users are unidentified.
On Domain Controllers, STAS shows a number of Live Users in Advanced > Show Live Users.
Running a packet capture, see traffic from Firewall to DCs.
Found a mis-configured Windows Defender firewall rule and now STAS is working. Set Windows DCs to allow inbound port UDP 6677. Users are now showing up in the firewall live users.
I see the Heartbeat is sent every 15 seconds.
Packet capture shows a large amount of traffic from the LAN IP addresses to 52.5.76.173 on TCP port 8347.
Why would Sophos Firewall not be able to identify users based on heartbeat?