Sophos Firewall Managing and Deploying Security Heartbeat PDF

Summary

This document provides a technical guide on managing and deploying Security Heartbeat on Sophos Firewall, including information on communication between endpoints and firewalls. It details the process, including steps for registering the firewall with Sophos Central, and various scenarios, including VPN and wireless users.

Full Transcript

Managing and Deploying
Security Heartbeat on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW2540: Managing and Deploying Security Heartbeat on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Managing and Deploying Security Heartbeat on Sophos Firewall - 1
 Managing and Deploying Security Heartbeat on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to manage Security Heartbeat ✓ Requirements for Security Heartbeat
and what you need to consider ✓ Registering with Sophos Central and configuring
when deploying it in a Security Heartbeat
production environment.

DURATION

28 minutes

In this chapter you will learn how to manage Security Heartbeat and what you need to consider
when deploying it in a production environment.

Managing and Deploying Security Heartbeat on Sophos Firewall - 2
 Security Heartbeat with Sophos Firewall
Heartbeat: a few bytes every 15 seconds
Communication between Events
Sophos Firewall and Central Health status
managed endpoints Threat source information
Authentication

GREEN Endpoint agent is running. No active or inactive malware or PUAs detected

YELLOW Endpoint agent is running. Inactive malware or PUA has been detected

Endpoint agent may not be running, and devices may not be protected. Active malware,
RED
malware not cleaned up, malicious network traffic or communication to known bad hosts

The Security Heartbeat provides intelligent communication between endpoints that are managed
in Sophos Central and the Sophos Firewall, so that they can coordinate their response to threats.
This includes:
A small heartbeat, which is a few bytes sent every 15 seconds
Events such as detections
The health status of the computer, which can be either GREEN, YELLOW or RED
Threat source information requested by the Sophos Firewall
And user details that the Sophos Firewall can use to authenticate against Active Directory

If a computer has a GREEN status, this means that the Endpoint Agent is running (so the computer
is protected) and no active or inactive malware or PUAs (Potentially Unwanted Applications) have
been detected. There is no risk and no action required.

If the computer has a YELLOW status, the Endpoint Agent is running, so the computer is still
protected, but inactive malware or a PUA has been detected. There is a medium risk and action
may be required.

When a computer has a RED status, it can indicate that the Endpoint Agent may not be running, so
the computer may not be protected. Alternatively, it could mean that active malware has been
detected, malware that has not been cleaned up, malicious network traffic has been detected, or
communication to a known bad host. There is a high risk and action is required.

Managing and Deploying Security Heartbeat on Sophos Firewall - 3
 How Security Heartbeat Works
Cannot drop traffic based on MAC address Sophos Firewall can block access to
and not protected by Sophos Firewall other networks and share the MAC
address of computer with red health
Switch Router status with healthy endpoints

Internet
Self-isolation Sophos Firewall
can be
enabled in Switch Router
Sophos Switch
Protected
Central
Protected

Computer with
red health status

Let’s look at what would happen if malware is detected on a computer with Security Heartbeat.

When malware is detected on the computer, Security Heartbeat will send event information and its
new health status to the Sophos Firewall. The Sophos Firewall will share the MAC address of the
computer that has a red health status with the healthy endpoints.

Where traffic passes through the Sophos Firewall, it can prevent the computer with a red health
status from connecting to other computers or servers, protecting them from possible infection.
Where traffic is passing through, the firewall is using the IP address of the computer to identify the
device.

Healthy endpoints will drop traffic from the computer with the red health status. This requires the
endpoint to be able to see the MAC address that traffic is coming from, and so will only work on
local network segments and not when the traffic passes through routers.

To combat this, you can enable self-isolation in Sophos Central. This option will mean that the
endpoint will try to isolate itself from the network and only communicate with Sophos Central to
report information, download updates, and be managed. This is managed using the Threat
Protection policy in Sophos Central.

The Sophos Firewall will only block the traffic from the infected computer, all the other computers
connected through the same port will still have network access.

Once the Sophos Endpoint Agent has cleaned up the malware; Security Heartbeat will send its
updated health status to the Sophos Firewall, and the Sophos Firewall can allow it to access hosts
and networks as normal. The Sophos Firewall will also notify the other endpoints to remove the

Managing and Deploying Security Heartbeat on Sophos Firewall - 4
MAC address of the computer from the list of computers with a red health status.

Managing and Deploying Security Heartbeat on Sophos Firewall - 4
 Security Heartbeat with Sophos Firewall
Sophos Central brokers trust between computer and firewall
Any managed computer can heartbeat with any registered firewall

Register me as a Any messages for
firewall me?

Sophos Computer
Firewall Sophos Here are the CAs for the Sophos
Here is your certificate Central Firewall certificates
This is the heartbeat IP address and
This is a list of Sophos Firewalls that
port
are registered
This is a list of IDs for computers I
This is the heartbeat IP address and
manage and their client certificates
port

Let’s start by looking at how the security heartbeat is established between the computer and the
Sophos Firewall.

Sophos Central is used to broker trust between the Central managed computer and the Sophos
Firewall.

The first stage is for the Sophos Firewall to be registered with Sophos Central. This is done by
entering the credentials for a Sophos Central administrator on the Sophos Firewall in SYSTEM >
Sophos Central.

When the Sophos Firewall registers with Sophos Central, it receives:
A certificate to identify itself
The IP address and port the computers will use for the heartbeat
And a list of IDs for the computers that are managed in that Sophos Central account and their
client certificates

Shortly after the Sophos Firewall is registered, Sophos Central will provide the supported
computers with the information they need to initiate a heartbeat, including:
A list of the CAs used to generate the Sophos Firewall certificates
A list of the Sophos Firewall IDs that are registered
The IP address and port to use for the heartbeat
This information is stored on the computer in
ProgramData\Sophos\Hearbeat\Config\Heartbeat.xml, and is updated with regular polling.

Once Central has brokered the trust by providing the required certificates and IDs the heartbeat
communication is local between the endpoint and the firewall.

Managing and Deploying Security Heartbeat on Sophos Firewall - 5
As every Sophos Firewall that registers with Sophos Central has the ID of all the
managed computers, and all the managed computers have the ID of all the registered
firewalls, any managed computer can heartbeat with any registered firewall.

This means that if you have Sophos Firewalls at multiple sites, it doesn’t matter which
site a computer is at, it will be able to heartbeat with the local Sophos Firewall.

Managing and Deploying Security Heartbeat on Sophos Firewall - 5
 Establishing a Security Heartbeat Connection
Heartbeat connection initiated by computer
Firewall and computer validate identity using data from Central
Computer starts to transmit heartbeat

Is Computer on my list
Hello 52.5.76.173 of Central managed
Port 8347 computers?

Computer Sophos Firewall Internet

Hello Computer

To initiate the heartbeat connection, the computer will send a ‘hello’ discovery message to the IP
address and port Sophos Central provided. The IP address is a public IP address, so the computer
will send the discovery message to its default gateway to be routed to the Internet. Assuming that
the traffic is passing through a Sophos Firewall that is registered with Sophos Central, it will
intercept the discovery message, and if the computer is on the list of managed computers it
received from Sophos Central it will respond.

The heartbeat discovery messages are never routed to the Internet if they are passing through the
Sophos Firewall; however, if you perform a packet capture, the communication will appear to be
between the computer and the public IP address, although it is taking place between the computer
and Sophos Firewall.

The computer and Sophos Firewall use the certificate information provided by Sophos Central to
validate each other’s identity, then establish bidirectional communication. Once this is done the
computer will start to send health information to the firewall.

At the start of a heartbeat session, the computer sends:
Health status, which includes the state of the quarantine and the status of Sophos services
Network status, which is important for endpoints that may connect to insecure wireless
networks
Login status, which provides the name and domain of the logged-in user
If the status of these changes the computer will send update messages to the Sophos Firewall.

Managing and Deploying Security Heartbeat on Sophos Firewall - 6
 Establishing a Security Heartbeat Connection
Computers must be connected to the local
networks or via a VPN
Sophos Firewall must be the default gateway
or
Public IP must be added to the VPN profile

Computer B

NO Heartbeat Heartbeat Heartbeat

Computer C Internet VPN Computer A
Sophos Firewall

As we saw in the previous slide, computers discover a Sophos Firewall to establish a heartbeat by
sending a discovery packet to a public IP. This means that the Sophos Firewall must be on the route
from the computer to the Internet. For this to be the case, the computer either needs to be
connected to the local network, like Computer A in the diagram or connected to the Sophos
Firewall via a VPN, like Computer B.

Computer C in this diagram cannot establish a heartbeat with the Sophos Firewall.

When a computer is connected to the Sophos Firewall via a VPN, you need to ensure that traffic to
the heartbeat IP address is routed to the Sophos Firewall. This can be done either:
By making the Sophos Firewall the default gateway; however, this will send all traffic over the
VPN which may not be desirable
Or by explicitly adding the heartbeat IP address to the VPN networks. There is a predefined host
object for this called ‘SecurityHeartbeat_over_VPN’

Note that you can find the IP address and port for Security Heartbeat can be found on the client in:
ProgramData\Sophos\Heartbeat\Config\Heartbeat.xml

Managing and Deploying Security Heartbeat on Sophos Firewall - 7
 Register Sophos Firewall with Sophos Central
A Sophos Firewall can only be associated with one Central account
A Central account can have multiple Sophos Firewalls

Over the next couple of slides, we will look at how to enable and configure Security Heartbeat on
the Sophos Firewall.

Before you can start using Security Heartbeat, the Sophos Firewall needs to be registered with a
Sophos Central account. This can be done in SYSTEM > Sophos Central. Here you need to either
provide a one-time password created in Sophos Central using the serial number of the firewall or
enter the username and password of an administrator for your Sophos Central account.

Once you registered, you will then be able to see it listed in the Firewall Management > MANAGE
> Firewalls. Note that by default Central management will not be enabled for the firewall.

A Sophos Firewall can only be registered with one Sophos Central account. If you have multiple
sites, you can register multiple Sophos Firewalls in your Sophos Central account, and computers
will establish a heartbeat with whichever Sophos Firewall is on its route to the Internet.

Managing and Deploying Security Heartbeat on Sophos Firewall - 8
 Security Heartbeat Restrictions in Firewall Rules

Source and destination-based rules using restrictions for:
Minimum health status
Security heartbeat required

NOTE: Destination based rules are not applied to the WAN zone

Now that the Sophos Firewall is registered with Sophos Central, computers will automatically
establish a heartbeat with it, but the Sophos Firewall won’t take any action with that information.

To act based on Security Heartbeat status, you apply the restrictions in the firewall rules, under
‘Configure Synchronized Security Heartbeat’.

Restrictions can be based on the Security Heartbeat status of the source or the destination. This
means that you can use the Security Heartbeat to prevent a compromised computer from
accessing other hosts or networks, but you can also prevent computers from accessing hosts that
have been compromised.

Restrictions are configured based on the minimum health status of the source or destination,
GREEN, YELLOW, or No Restriction.

You can also require a heartbeat. This means that a computer that is not running Sophos’ Endpoint
Agent and is not managed by your Sophos Central account would not meet the criteria. Take care
when using this option.

Please note that destination-based Security Heartbeat policies are not applied to the WAN zone. If
the WAN zone is the only destination zone in a firewall rule, the destination heartbeat settings will
be greyed out.

Managing and Deploying Security Heartbeat on Sophos Firewall - 9
 Missing Heartbeat
Devices that have established a heartbeat then stopped
Choose zones in PROTECT > Central synchronization

Will also block
missing Devices that
heartbeats have never had
a heartbeat
Determined by MAC address
Can be checked on the Console
# ipset –L hb_missing

When Security Heartbeat restrictions are enabled, the Sophos Firewall will also block devices that
have a missing heartbeat. These are devices that have previously established a heartbeat with the
Sophos Firewall but have since stopped sending the heartbeat, possibly because they have been
compromised. The missing heartbeat detection is separate from the health status, so it will detect
missing heartbeats whether the endpoint has green, yellow, or red health status.

In this example, devices with a missing heartbeat will be blocked.

Please note that the option ‘Block clients with no heartbeat’ is unrelated to missing heartbeats and
will block any device that does not have a heartbeat whether they ever had one or not.

Once you have enabled Security Heartbeat on the Sophos Firewall, you can select for which zones
missing heartbeat detection will be applied. This is in SYSTEM > Sophos central, then select
‘Optional configurations’.

Devices that are missing a heartbeat are recognized from the MAC address that the Security
Heartbeat reported when it was first established.

You can check which devices are missing a heartbeat on the console by running the command:
ipset -L hb_missing

Managing and Deploying Security Heartbeat on Sophos Firewall - 10
 Additional information in
Missing Heartbeat Detection the notes

Use when there are frequent adapter changes
console> system synchronized-security delay-missing-heartbeat-detection show
60
console> system synchronized-security delay-missing-heartbeat-detection set seconds 120
{ "missing_hb_duration": 120 }

Use when there are frequent system state changes
console> system synchronized-security suppress-missing-heartbeat-to-central show
0
console> system synchronized-security suppress-missing-heartbeat-to-central set seconds 60
{ "suppress_missing_hb_to_central": 60 }

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/cliGuide/concepts/SystemCommands.html#concept_udr_4z5_k5__section_tyn_bdl_t4b

You can control the behavior of Sophos Firewall when it detects an endpoint has a missing
heartbeat by either suppressing or delaying the reporting. This allows the endpoint to resume the
heartbeat with Sophos Firewall before any action is taken that could disrupt a user’s work.

This is configured in the console.

The delay missing heartbeat detection command sets the time to wait before moving the endpoint
to missing heartbeat status. Use this when there are frequent adapter changes; for example, when
switching between wireless and wired connections. The default setting is 60 seconds, and it can be
set to between 30 and 285 seconds in multiples of 15.

The suppress missing heartbeat detection command sets the time to wait before Sophos
Firewall reports the missing heartbeat status to Sophos Central. We recommend using this option
if endpoints are expected to frequently sleep, hibernate, shutdown, or wake up. The default setting
is 0 seconds, and it can be set to between 0 and 120 seconds.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/cliGuide/concepts/SystemCommands.html#concept_udr_4z5_k5
__section_tyn_bdl_t4b

Managing and Deploying Security Heartbeat on Sophos Firewall - 11
 Firewall Rule Indicators

Minimum source heartbeat YELLOW

Minimum source heartbeat GREEN

Minimum source heartbeat GREEN
Block clients with no heartbeat

Here are three firewall rules that have been configured with Security Heartbeat restrictions.

The heartbeat indicator (HB) for the first rule is YELLOW. This will block devices with a RED
heartbeat status.

The indicator for the second rule is GREEN. This will block devices with a RED or YELLOW heartbeat
status.

Both rules will also block clients that have a missing heartbeat. A missing heartbeat is a device that
was sending a heartbeat and then stopped. This is identified by the MAC address that is reported
when the heartbeat was established.

The indicator for the last rule is GREEN with a plus symbol. This rule will also block clients that have
a RED or YELLOW heartbeat, and devices with a missing heartbeat, but it will also block clients that
have no heartbeat.

So, when a firewall rule has a heartbeat indicator with a plus, it means that having a heartbeat is
mandatory.

Please note that the heartbeat indicators are for source-based heartbeat rules only, not
destination-based.

Managing and Deploying Security Heartbeat on Sophos Firewall - 12
 Security Heartbeat Status

Link to Sophos User and computer with the
Central alert

On the Sophos Firewall Control Center, you can see the number of computers that have each level
of Security Heartbeat health status in the ‘User & Device Insights’ section on the right-hand side. In
this example we can see that we have one computer with a RED ‘Risk’ status.

By clicking on the Security Heartbeat widget in the Control Center, you can get more information,
including the computer hostname and IP address, and the user that is logged in.

There is also a link to Sophos Central where you can get further details and take action to
remediate the cause of the alert.

Managing and Deploying Security Heartbeat on Sophos Firewall - 13
 Security Heartbeat Restrictions in Firewall Rules

Are all computers using the Do you want to prevent
firewall rule able to create a compromised computers from
heartbeat to the Sophos accessing sensitive
Firewall? applications and data?

Do you want to restrict
computers with a known Do you want to prevent
incident, or only allow computers from connecting to
computers with a known good compromised hosts?
health status?

There are no default health-based policies configured, as these are enabled per firewall rule.

When configuring health-based policies there are a few questions you can ask yourself to help you
choose the most appropriate configuration.

Do you want to restrict computers with a known incident, or only allow computers with a known
good health status? This will help you determine whether you want to block computers with no
heartbeat.

If you block computers with no heartbeat, you are only going to allow computers that have a
known good health status. If you allow computers with no heartbeat, you will only be blocking
computers that have reported an incident.

Another consideration when deciding whether to block computers with no heartbeat, is whether
all the devices (computers, mobiles, printers etc…) that will be affected by the firewall rule, can
create a heartbeat with the Sophos Firewall. If a computer is managed by a different Central
account, or is running an unsupported OS, then it will not be able to create a heartbeat and will be
blocked unless you create another firewall rule to explicitly allow that computer.

Do you want to prevent compromised computers from accessing sensitive applications and data? If
so, then you need to enable the source-based health rules.

Do you want to prevent computers from connecting to compromised hosts? If so, then you need to
enable the destination-based health rules.

Remember that you can configure both source and destination-based health rules in the same

Managing and Deploying Security Heartbeat on Sophos Firewall - 14
firewall rule.

Managing and Deploying Security Heartbeat on Sophos Firewall - 14
 Active Source Identification

Positively identifies the computer, associating an IP address with it
Security
Heartbeat

If the Sophos Firewall detects an advanced attack but cannot determine
Advanced the source, it can request additional details from the computer
Attack

The computer sends details of its hostname, IP address, the logged-on
Source user and the name of the process
Identification

As well as the computer sending information to the Sophos Firewall, the Sophos Firewall can
request detailed information from computers that are compromised.

First, the Sophos Firewall can positively identify computers using the heartbeat by associating an IP
address to specific devices.

If the Sophos Firewall detects an advanced attack but cannot determine the source, it can request
additional details from the computer

The computer will send back details of its hostname, IP address, the logged-on user and the name
of the process.

Managing and Deploying Security Heartbeat on Sophos Firewall - 15
 Heartbeat Detections
Heartbeat reported and Sophos Firewall triggered detections are prefixed with
‘C2/Generic’
Sophos Firewall detected malicious traffic from an endpoint
To a known C&C server
C2/Generic-A Performing a DNS lookup for a known C&C server
Triggered IPS rule
Note: C2/Generic-A is only reported on the Sophos Firewall UI and not on the endpoint

The endpoint detected a process that attempted to contact a known C&C server URL or IP
C2/Generic-B
address
Sophos Firewall detected a C2/Generic-A threat and notified the endpoint to report a
C2/Generic-C
C2/Generic-C threat in the quarantine for the identified process

Heartbeat reported and Sophos Firewall triggered detections are prefixed with ‘C2/Generic’.

C2/Generic-A will be reported on the Sophos Firewall when it detects malicious traffic from a
computer. This could be an attempted connection to a known C & C (Command & Control) server,
or a computer performing a DNS lookup for a known C & C server.

C2/Generic-B is a detection by the Endpoint Agent when a process attempts to contact a known C
& C server URL or IP address.

C2/Generic-C is what is reported on the computer when the Sophos Firewall detected C2/Generic-
A. The Sophos Firewall will notify the computer to report C2/Generic-C in the quarantine for the
process that was identified.

Managing and Deploying Security Heartbeat on Sophos Firewall - 16
 Deploying Security Heartbeat

What are likely to be the biggest challenges to deploying Security
Heartbeat effectively in a production environment?

What are the biggest challenges to deploying Security Heartbeat effectively in a production
environment?

Managing and Deploying Security Heartbeat on Sophos Firewall - 17
 Deploying Security Heartbeat

Limits on the amount of control Sophos Firewall can exert when
it is not being used as a core routing device

Perceived risks in implementing a system that can automate
blocking network access

When you are looking at how to deploy Security Heartbeat effectively in a production
environment, the two most common points that are raised are:

1. The Sophos Firewall is being used as a perimeter device and so has limited control over the
traffic. Because the internal traffic may not be flowing through the Sophos Firewall it is unable
to block them based on health status. Lateral Movement Protection helps to mitigate against
this; however, there are often core routers that limit the effectiveness to local network
segments
2. There is a perceived risk in implementing a system that can automate blocking network access

Managing and Deploying Security Heartbeat on Sophos Firewall - 18
 Deploying Security Heartbeat

What are the risks of interrupting normal business activities, and
how can you mitigate against them when deploying Security
Heartbeat?

If we consider the second point, what are the risks of interrupting normal business activities, and
how can you mitigate against them when deploying Security Heartbeat?

Managing and Deploying Security Heartbeat on Sophos Firewall - 19
 Deploying Security Heartbeat
Using firewall rules with a higher priority to allow specific
traffic without heartbeat checks

Use the option to ‘Block clients with no heartbeat’ sparingly

Review the current health status of your estate in Sophos Central
to assess the potential impact of enforcing health status of different levels

Consider what level of health status is appropriate at each point, and
whether the check should be source, destination or both

Mitigating the risk of deploying any new technology is largely dependent on understanding how
the technology works and starting with a conservative configuration.

A few ways that you can help reduce the potential for any impact when deploying Security
Heartbeat are:
1. Use firewall rules with a higher priority to allow specific traffic to pass without heartbeat
checks. You may want to revisit these rules later, but they can be a useful way to prevent
unexpected issues causing significant impact
2. Use the option to ‘Block clients with no heartbeat’ sparingly. The reality is that there are likely
to be many devices on the network that cannot establish a heartbeat with the Sophos Firewall.
It would be advisable to ensure these are not impacted during the initial rollout, and then
return to decide how best to handle them in the long-term, for example by creating specific
firewall rules for them
3. Review the current health status of your estate in Sophos Central. Consider how a rule that
requires RED, YELLOW, or GREEN as the minimum heartbeat status could impact your network
4. Consider what level of health status is appropriate when applying it to each firewall rule. It will
not always be necessary to enforce a GREEN health status for everything; requiring a lower
health status could help to mitigate risks during deployment,. You should also consider whether
you want to be checking the health of the source, destination, or both

Managing and Deploying Security Heartbeat on Sophos Firewall - 20
 Deploying Security Heartbeat for VPN Users

Servers
Computers connected via VPN are always
routed through the Sophos Firewall

VPN User Internet Sophos Firewall Computers

One of the easiest use cases is remote users connecting via a VPN because it is most likely that the
VPN connection will be to the Sophos Firewall.

As we mentioned previously in this module, for a VPN user to be able to establish a heartbeat with
the Sophos Firewall, the public IP address that is being used for Security Heartbeat must be
included as a local network to be routed through the VPN.

Managing and Deploying Security Heartbeat on Sophos Firewall - 21
 Deploying Security Heartbeat for Wireless Users

Computers connected via a wireless
Servers
network using separate zone security are
always routed through the Sophos Firewall

Internet
Wireless User
Sophos Firewall Computers

Another group of users that will be routed through the Sophos Firewall are wireless users where
the wireless network is using separate zone security.

Separate zone creates a secure tunnel back to a wireless interface on the Sophos Firewall.

Managing and Deploying Security Heartbeat on Sophos Firewall - 22
 Deploying Security Heartbeat for Network Connected users

VLAN:3

Servers

Managed Switch
Internet
Sophos Firewall

VLAN:4
Computers

For all network-connected users, the Sophos Firewall can isolate infected computers from
accessing other network segments that it is doing the routing for.

Without deploying multiple Sophos Firewalls throughout the network, how could the Security
Heartbeat be effectively used?

Start by considering a small network for around 100 devices.

Managing and Deploying Security Heartbeat on Sophos Firewall - 23
 Deploying Security Heartbeat for Network Connected users

VLAN:3

Servers
Use a managed switch
Managed Switch to route inter-VLAN
traffic through the
Internet Sophos Firewall
Sophos Firewall

VLAN:4
Computers

By using a managed switch to route the inter-VLAN traffic through the Sophos Firewall it can
protect devices on different network segments.

Managing and Deploying Security Heartbeat on Sophos Firewall - 24
 Deploying Security Heartbeat for Bridge Mode

Servers Sophos Firewall can provide visibility and
enforcement using Synchronized Security

Sophos Firewall

Switch
Internet
Computers Existing Firewall

New fail-open bypass ports reduces risk for
in-line deployments

The Sophos Firewall can be installed inline with any existing firewall in bridge mode, even our own
SG UTM. In this way, customers can enable Synchronized Security with Sophos Firewall without a
rip-and-replace of any of their existing IT security products.

Inline deployment is also an ideal way to get your foot in the door or work around any objection
related to replacing their existing firewall. Think of it as a Synchronized Security Appliance that
works behind their existing firewall. It’s easy and risk free with the bypass ports.

Managing and Deploying Security Heartbeat on Sophos Firewall - 25
 Deploying Security Heartbeat for Discover Mode

Sophos Firewall Sophos Firewall can provide visibility and
insights using Synchronized Security (no
Servers enforcement)

SPAN port

Switch
Internet
Existing Firewall

Computers

The Sophos Firewall has always supported Discover Mode (aka TAP Mode) deployments, where
you simply connect Sophos behind an existing firewall to a SPAN port (aka mirror port) on a switch
to get a feed of the live network traffic. Synchronized Security is supported in Discover Mode. This
provides another option for environments that are not ready to displace their existing solution but
want the additional insights a Synchronized Security appliance can provide.

Managing and Deploying Security Heartbeat on Sophos Firewall - 26
 Deploying Security Heartbeat for Discover Mode

Sophos Firewall
LAN Ports WAN Port
Servers

Switch
Internet
Existing Firewall

For Synchronized Security to work in Discover mode, the Sophos Firewall must be able to
communicate with both Sophos Central and all the clients.

For this reason, the Sophos Firewall will need a WAN interface to provide a default gateway, so that
it can register and communicate with Sophos Central, and one or more LAN interfaces that are able
to communicate with all the endpoints.

If there are any Discover mode interfaces on the Sophos Firewall, it will update Sophos Central
with all the LAN interface IP addresses. This information will be provided to the Sophos Central
managed endpoints and can be found in the heartbeat.xml file.

All endpoints will still always try to initialize a heartbeat by sending messages to the public IP
address 52.5.76.173 on port 8347. If there is no response from the Sophos Firewall, the endpoint
will send the heartbeat traffic to the first available IP address from the heartbeat.xml.

Managing and Deploying Security Heartbeat on Sophos Firewall - 27
 Chapter Review

Devices with a Security Heartbeat are identified by their IP address when the traffic is
passing through the firewall. For lateral movement protection other devices use the
MAC address of endpoints with a RED health status to drop traffic

Central brokers trust between the endpoints and firewall using certificates, but the
heartbeat is established between the endpoint and firewall

Endpoints use a public IP address to establish the heartbeat with the firewall so it is
routed through the Internet gateway, which should be the Sophos Firewall. For this
reason, endpoints need to be connected directly to the network or via VPN

Here are the three main things you learned in this chapter.

Devices with a Security Heartbeat are identified by their IP address when the traffic is passing
through the firewall. For lateral movement protection other devices use the MAC address of
endpoints with a RED health status to drop traffic.

Central brokers trust between the endpoints and firewall using certificates, but the heartbeat is
established between the endpoint and firewall.

Endpoints use a public IP address to establish the heartbeat with the firewall so it is routed
through the Internet gateway, which should be the Sophos Firewall. For this reason, endpoints
need to be connected directly to the network or via VPN.

Managing and Deploying Security Heartbeat on Sophos Firewall - 34
Managing and Deploying Security Heartbeat on Sophos Firewall - 35