Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6287 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How synchronise security work with sophos intercept x when the firewall is in bridge mode?

jingeo

I have my router--> fortinet firewall-sophos configured in bridge mode-intercept X 300 users.i also activated synchronised security,but i could not see any heartbeat.What can be the problem?



This thread was automatically locked due to age.
Parents
  • 0

    Hey Jingeo,

    Have you also followed the steps to enable and verify heartbeat? Please see here for KBA reference.

    Related: Sophos XG Firewall v17: How to configure Synchronized Application Control (SAC)

    Regards,

  • 0 in reply to FloSupport

    i already enabled these steps earlier,everything activated and i cannot see any heartbeats.it is showing zero connected

  • 0 in reply to jingeo

    Hi,

    I think you need to dig deeper.

    Go to the shell and log for the hbtrust.log and heartbeat.log in /log/  (Advanced Shell).

  • +1 in reply to LuCar Toni

    I got confirmation from sophos team that synchronous feature works only with an endpoint.Intercept x alone cannot give security heartbeat

  • 0 in reply to jingeo

    I am quite sure that Intercept X only works fine with XG HB / App control. 

    Tested it today with my test env. 

  • 0 in reply to LuCar Toni

    Hi All,

    Intercept X does not contain SAV engine and ony contains ML, Exploit prevention ,Sophos Clean ,RCA and Heartbeat  . True it does contain Heartbeat and does work with Sophos XG ,

     

    Logs from the machine

     

    18.352519 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [P.], ack 1, win 2053, length 141
    21:37:18.352532 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 0
    21:37:18.352824 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 1460
    21:37:18.352865 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 1460
    21:37:18.352888 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 142, win 237, length 1176
    21:37:18.353402 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [.], ack 4097, win 2053, length 0
    21:37:18.478755 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 142, win 237, length 1073
    21:37:18.491187 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [P.], ack 5170, win 2048, length 1305
    21:37:18.492208 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 1447, win 260, length 7
    21:37:18.492548 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [R.], seq 5177, ack 1447, win 260, length 0

    Heartbeat.log

    2018-08-22 21:40:37 INFO HBSessionHandler.cpp[2358]:89 removeDirtySessions - Number of sessions: 0
    2018-08-22 21:40:38 INFO HBSessionHandler.cpp[2358]:116 findPinnedEndpointIdentity - Number of sessions: 1
    2018-08-22 21:40:38 INFO HBSession.cpp[2358]:468 logNewSession - New Session: [192.168.20.5]:7618 connected
    2018-08-22 21:40:38 INFO EndpointStorage.cpp[2358]:114 endpoint_connectivity_cb - Connectivity changed for <bc46ed33-2f7c-47ec-8c1d-57263131c9b7>: <4> -> <1>
    2018-08-22 21:40:38 INFO ModuleEac.cpp[2358]:98 sendEacMessage - send EacSwitchRequest to endpoint (IP=192.168.20.5)

Reply
  • 0 in reply to LuCar Toni

    Hi All,

    Intercept X does not contain SAV engine and ony contains ML, Exploit prevention ,Sophos Clean ,RCA and Heartbeat  . True it does contain Heartbeat and does work with Sophos XG ,

     

    Logs from the machine

     

    18.352519 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [P.], ack 1, win 2053, length 141
    21:37:18.352532 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 0
    21:37:18.352824 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 1460
    21:37:18.352865 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [.], ack 142, win 237, length 1460
    21:37:18.352888 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 142, win 237, length 1176
    21:37:18.353402 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [.], ack 4097, win 2053, length 0
    21:37:18.478755 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 142, win 237, length 1073
    21:37:18.491187 PortA, IN: IP 192.168.20.5.49772 > 52.5.76.173.8347: Flags [P.], ack 5170, win 2048, length 1305
    21:37:18.492208 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [P.], ack 1447, win 260, length 7
    21:37:18.492548 PortA, OUT: IP 52.5.76.173.8347 > 192.168.20.5.49772: Flags [R.], seq 5177, ack 1447, win 260, length 0

    Heartbeat.log

    2018-08-22 21:40:37 INFO HBSessionHandler.cpp[2358]:89 removeDirtySessions - Number of sessions: 0
    2018-08-22 21:40:38 INFO HBSessionHandler.cpp[2358]:116 findPinnedEndpointIdentity - Number of sessions: 1
    2018-08-22 21:40:38 INFO HBSession.cpp[2358]:468 logNewSession - New Session: [192.168.20.5]:7618 connected
    2018-08-22 21:40:38 INFO EndpointStorage.cpp[2358]:114 endpoint_connectivity_cb - Connectivity changed for <bc46ed33-2f7c-47ec-8c1d-57263131c9b7>: <4> -> <1>
    2018-08-22 21:40:38 INFO ModuleEac.cpp[2358]:98 sendEacMessage - send EacSwitchRequest to endpoint (IP=192.168.20.5)

Children
No Data