Security Heartbeat Functionality and Issues

Question

I sent and email to my account manager and sales engineer and am awaiting a reply. But it might be a few days. I hope the community might help me out. 
 
 Have a fairly new XG 230 implementation at a school. We are trying to use Security Heartbeat, but it seems pretty unusable. Other implementations with smaller XGs and a dozen or fewer business users seem fine. 
 
 Here is why: 
 
 #1 
 Alerts are generated for offline computers. My support gets a bunch of emails and they are not happy. 
 Is there a threshold that can be adjusted (say&hellip;match condition for x minutes before setting alert?) via CLI? 
 Is there something that can be done to suppress messages for offline computers. 
 
 #2 
 Had a machine that could not download updates. Condition was red because it&rsquo;s not up to date. Can&rsquo;t update because it is red. However the machine could reach internal network resources. 
 
 I modified the LAN to WAN rule so it could access the internet if yellow (no restriction!). Then it could update. What&rsquo;s the point though? 
 
 I observed the LAN to LAN rule is set to block if greater than yellow. There must be something more to do here&hellip;LAN to LAN doesn&rsquo;t route through XG for same subnet. 
 
 Then I found&hellip; 
 https://community.sophos.com/products/xg-firewall/f/initial-setup/82578/how-to-make-security-heartbeat-work 
 What do we think of the solutions here? 
 I created a rule with below FQDNs, put it on top, with no heartbeat restriction. I see some traffic through the rule I created to allow traffic, but not much...Hasn't incremented for hours. 
 sophos.com 
 mojave.net 
 sophosupd.com 
 sophosupd.net 
 sophosxl.net 
 
 Then I called Support as I am anxious to hear something. 
 I&rsquo;m told that it&rsquo;s normal that when a machine is shutdown, it will report and we will get an email message. For a school, and with student laptops (awake, asleep, awake, asleep every class and sometimes several times in a class), this means each offline will be an alert (for 50 computers, say 400 messages a day might be typical). This makes the product unmanageable from an alerting point of view. Unable to see the fire through the weeds. 
 
 Here&rsquo;s how I would like to see it work: 
 
 When a machine is turned off, the heartbeat will stop. 
 Some machines take a while to shut down. 
 Make a failed heartbeat equal to no heartbeat plus a successful ping to the endpoint. 
 Have a CLI threshold where I can say I want 4 failed heartbeats prior to sending an alert.

On to the topic of isolating a machine that&rsquo;s alerting&hellip;we spoke about this and I was told that a machine cannot be isolated from the local network. It can only be isolated if traffic is flowing through the UTM (I think she meant XG). I was under the understanding (and so were Brian and Garth) that a machine that has caused an alert would be blocked from all communication. Is there someone that can explain this mechanism? 
 
 Here&rsquo;s how I would like to see it work: 
 
 The XG communicates its rules to Central. Why? Because I have a rule that allows communication to WAN when Red to my Kaseya management server and to a random list of Sophos servers (see earlier email below) so they can update and so I can remote in and work on them (we are 2 or more hours away from some client sites). 
 The Endpoint alerts Central. Rules in the XG block traffic based on the rules. As this isn&rsquo;t really effective though: 
 A network driver is installed on the endpoint and this filters network access based on the XG rules that allow communication, so an out of date machine might still be able to get updates and it can be blocked from local LAN communication.

Any input is appreciated so I can understand how this works, is supposed to work, or won't work. I've turned it off for the moment for one customer. Leaving it on for the little ones. 
 Regards, 
 David

axsom1 · Accepted Answer

Hi David, 
 I can comment a little on how security heartbeat works: 
 The most important aspect is that you must segment the traffic you want to "protect" via heartbeat rules. So workstations should not be on the same network segment as your servers, etc. This forces the traffic to traverse the XG and get processed for allow/deny rules (there is a new feature in development that will isolate endpoints, but that's down the road as I understand). 
 In practice, the firewall, once registered with Central, knows what endpoints are managed and learns the IP endpoints will use for heartbeat. Once the firewall has registered, Central will notify the clients at which point the endpoints communicate their heartbeat to the firewall directly via this magic IP (you can find it in the heartbeat.xml config file). 
 Once this is done, the endpoint sends a heartbeat every 15 seconds or so. The heartbeat is small and the firewall can process these packets pretty quickly. 
 As you have learned, you must be aware of what rules you are writing and what you are blocking with respect to heartbeat rules. We want to make sure that the endpoint can still communicate with Central and/or RMM tools. How you handle that is really personal preference in my opinion. I like to allow traffic for automated incident cleanup but I have seen others that block it and use jump boxes for remote troubleshooting/cleanup. 
 Hope that helps a little on how the endpoints communicate their heartbeat to the firewall. 
 Cheers.

lferrara · Answer

David, 
 I agree with your point of view. If the computer is shutting down the heartbeat mechanism should allow some time or dead ping before considering that the PC is not healthy. A better communication and delay management should be performed. Open a feature request and post the link here so other users can vote it. 
 As Axsom1 suggested, having segmentation is one of the rule of building a secure network. At least, guest, company and server must be separated using VLAN. It takes a while but you will have several benefits afterward. You can put IPS, another firewall between vlan, etc.. 
 Do not confuse Sophos Hearbeat with NAC product. At the moment HB can block only computer communications across firewall, for example between LAN to WAN or from LAN to another LAN (only across Layer 3). 
 Into 2018, Sophos will extend HB by totally blocking the unhealthy computers from the rest of the network (even on same LAN). This technology is called Stonewalling. 
 I would recommend you to segment the network for future improvements (even if you will move to another brand). The other option is to have a look at NAC products if you need granular control. 
 Regards