I sent and email to my account manager and sales engineer and am awaiting a reply. But it might be a few days. I hope the community might help me out.
Have a fairly new XG 230 implementation at a school. We are trying to use Security Heartbeat, but it seems pretty unusable. Other implementations with smaller XGs and a dozen or fewer business users seem fine.
Here is why:
#1
Alerts are generated for offline computers. My support gets a bunch of emails and they are not happy.
Is there a threshold that can be adjusted (say…match condition for x minutes before setting alert?) via CLI?
Is there something that can be done to suppress messages for offline computers.
#2
Had a machine that could not download updates. Condition was red because it’s not up to date. Can’t update because it is red. However the machine could reach internal network resources.
I modified the LAN to WAN rule so it could access the internet if yellow (no restriction!). Then it could update. What’s the point though?
I observed the LAN to LAN rule is set to block if greater than yellow. There must be something more to do here…LAN to LAN doesn’t route through XG for same subnet.
Then I found…
What do we think of the solutions here?
I created a rule with below FQDNs, put it on top, with no heartbeat restriction. I see some traffic through the rule I created to allow traffic, but not much...Hasn't incremented for hours.
sophos.com
mojave.net
sophosupd.com
sophosupd.net
sophosxl.net
Then I called Support as I am anxious to hear something.
I’m told that it’s normal that when a machine is shutdown, it will report and we will get an email message. For a school, and with student laptops (awake, asleep, awake, asleep every class and sometimes several times in a class), this means each offline will be an alert (for 50 computers, say 400 messages a day might be typical). This makes the product unmanageable from an alerting point of view. Unable to see the fire through the weeds.
Here’s how I would like to see it work:
- When a machine is turned off, the heartbeat will stop.
- Some machines take a while to shut down.
- Make a failed heartbeat equal to no heartbeat plus a successful ping to the endpoint.
- Have a CLI threshold where I can say I want 4 failed heartbeats prior to sending an alert.
On to the topic of isolating a machine that’s alerting…we spoke about this and I was told that a machine cannot be isolated from the local network. It can only be isolated if traffic is flowing through the UTM (I think she meant XG). I was under the understanding (and so were Brian and Garth) that a machine that has caused an alert would be blocked from all communication. Is there someone that can explain this mechanism?
Here’s how I would like to see it work:
- The XG communicates its rules to Central. Why? Because I have a rule that allows communication to WAN when Red to my Kaseya management server and to a random list of Sophos servers (see earlier email below) so they can update and so I can remote in and work on them (we are 2 or more hours away from some client sites).
- The Endpoint alerts Central. Rules in the XG block traffic based on the rules. As this isn’t really effective though:
- A network driver is installed on the endpoint and this filters network access based on the XG rules that allow communication, so an out of date machine might still be able to get updates and it can be blocked from local LAN communication.
Any input is appreciated so I can understand how this works, is supposed to work, or won't work. I've turned it off for the moment for one customer. Leaving it on for the little ones.
Regards,
David
This thread was automatically locked due to age.