Difference between Security heartbeat isolation and device isolation feature in threat protection policy?

Hi, 

From what I have read heartbeat and or isolation works on multiple levels, so if you have computers A, B and an XG Firewall and if computer A sets off and alert,

you will see-

Computer A will isolate itself (if possible) from all other traffic or other devices (not sure if this is only sophos central registered devices or any)

Computer B will isolate itself from any traffic from Computer A

If you have heartbeat with the XG, then the XG will also isolate Computer A as well.

I would think you could have this without XG it just does not isolate the firewall side but still isolates the device side of things.

Hi, 

From what I have read heartbeat and or isolation works on multiple levels, so if you have computers A, B and an XG Firewall and if computer A sets off and alert,

you will see-

Computer A will isolate itself (if possible) from all other traffic or other devices (not sure if this is only sophos central registered devices or any)

Computer B will isolate itself from any traffic from Computer A

If you have heartbeat with the XG, then the XG will also isolate Computer A as well.

I would think you could have this without XG it just does not isolate the firewall side but still isolates the device side of things.

There are also some good reads here on both:

https://community.sophos.com/kb/en-us/133016

https://docs.sophos.com/nsg/sophos-firewall/v16058/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/HeartbeatConfiguration.html

Could you let me know what it means when u say XG will isolate Computer A as well. What is the functionality of that when Computer A is already isolating itself from the firewall and other devices.

Hi Kandarp,

Device isolation will lock down network access to the machine with some allowances such as Sophos communications and the exclusions you create.

Security Heartbeat isolation allows you to specify what is the minimum health status on the machine is before specific network access is restricted.  For example if a machine is in yellow health status, you can block access to WAN but still allow access to your LAN/DMZ network.  With a red health status you can block access to WAN/LAN/DMZ.  This can also be fine tuned to specific networks or users.

The best way to think of it is like this:

The SFOS can be configured to prevent access to other subnets and to the outside world based on the endpoint's health (GREEN, YELLOW, or RED) - transmitted through the heartbeat.

The Endpoint can be configured to isolate itself if it goes to RED Health - this prevents communication within the subnet and to the outside world to stop lateral movement and communication back to CnC servers. 

There is overlap between the two elements but they work together to enhance the entire security posture. We offer them in tandem to allow this protection to customers who only buy one product but they can get further enhanced security by combining the two products. 

In general, Endpoint Isolation is faster - it triggers as soon as the health state changes by injecting into the Windows Firewall rules limiting all access except to Sophos Central and to any excluded IP addresses configured in the policy.

The SFOS firewall rules allow for greater granularity and can be based on destination Health level (never set that for rules going out of the network - nothing on the internet will have a Health status in your SFOS) so can be used to allow limited access to hosts as needed. It can also trigger on YELLOW health instead of just RED. 

To add to it - there is also the stonewall mechanic where the SFOS can transmit a list of blacklisted IPs (based on their RED HEALTH) to all the other managed endpoints and they will block incoming traffic from those hosts at their NIC.

There are further products coming out to help enhance the internal network security at each node in the near future.

I hope this helps.