Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 2179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Heartbeat with Sub-Estate central deployment

Ste

Hi,

 

we have Enterprie Sophos Central with a sub-estate for each site. In each site there are a pair of XG firewall act as a gateway for the site and each pair are associated at the related sub-estate.

In each site there are some client and the client are registered at the related sub-estate.

When the client associate to a sub-estate move to another site we see on the XG firewall of this site that the heartbeat of this client is not working.

 

 

seems that the XG firewall (in the log LAN IP 172.18.50.40) is rejecting the heartbeat message from the client PC associate to another sub-estate.

Could be this a limitation in the sub-estate deployment? Can client move between sites and his heartbeat accepted and processed by all XGs?  

 

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    AFAIK the Heartbeat Certificate Hierarchy establishes and maintains trust between Sophos Firewall (XG ) and Sophos Endpoint (Cloud-managed).

    The Endpoint knows exactly what FW Server Certificate to expect and pins it.The Firewall knows exactly what EP Client Certificates to expect and pins them.

    Both Endpoint and Firewall further check, if the respective client (EP Client Certificates) and server (FW Server Certificate) certificates have been signed by the current Central Customer CA ( which Establishes intra-customer trust between Firewalls and Endpoints).

    If this trust is getting failed then heartbeat will reject the packet and this could be the reason which you are observing when moving from one sub-estate to another one.

    As of now you may post your request on Ideas portal if there is any possibility by PM/Dev team to consider such feature then you will get further update over same.

    https://ideas.sophos.com/forums/428821-sophos-central

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    How big is your setup? In total? Why are you using the Enterprise Dashboard / Sub_Estates? There are some points, which needs to be dealt with, in case of bigger setups.

     

    I saw some customer running Enterprise dashboard with 100 endpoints in total, which is completely not the use case of this setup.

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to Vishal_R

    How big is your setup? In total? Why are you using the Enterprise Dashboard / Sub_Estates? There are some points, which needs to be dealt with, in case of bigger setups.

     

    I saw some customer running Enterprise dashboard with 100 endpoints in total, which is completely not the use case of this setup.

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Setup is about 400 endpoint spread between tree country.

    Sub_Estate were chose for some reason, one was scale of management the other the licence model. But now no matter the reason why.

    What matter is that this limitation is not documented at ALL! 

     

    If you want to help me or any user that use sophos is please give me a workaround or raise a feature request.

     

    Thank you

Unfiltered HTML