Heartbeat with Sub-Estate central deployment

Question

Hi, 
 
 we have Enterprie Sophos Central with a sub-estate for each site. In each site there are a pair of XG firewall act as a gateway for the site and each pair are associated at the related sub-estate. 
 In each site there are some client and the client are registered at the related sub-estate. 
 When the client associate to a sub-estate move to another site we see on the XG firewall of this site that the heartbeat of this client is not working.

seems that the XG firewall (in the log LAN IP 172.18.50.40) is rejecting the heartbeat message from the client PC associate to another sub-estate. 
 Could be this a limitation in the sub-estate deployment? Can client move between sites and his heartbeat accepted and processed by all XGs? 
 
 Thank you

Vishal_R · Answer

Hi Ste AFAIK the Heartbeat Certificate Hierarchy establishes and maintains trust between Sophos Firewall (XG ) and Sophos Endpoint (Cloud-managed). 
 
 The Endpoint knows exactly what FW Server Certificate to expect and pins it.The Firewall knows exactly what EP Client Certificates to expect and pins them. 
 Both Endpoint and Firewall further check, if the respective client (EP Client Certificates) and server (FW Server Certificate) certificates have been signed by the current Central Customer CA ( which Establishes intra-customer trust between Firewalls and Endpoints). If this trust is getting failed then heartbeat will reject the packet and this could be the reason which you are observing when moving from one sub-estate to another one. As of now you may post your request on Ideas portal if there is any possibility by PM/Dev team to consider such feature then you will get further update over same. https://ideas.sophos.com/forums/428821-sophos-central