Block clients with no heartbeat

There is a reason, why you can select both independently. Minimum source HB permitted means: IF there is a HB status, should i do sometimes? So this will only apply to HB clients, no matter what. 

The checkbox "Block clients with no heartbeat" means, that every client, which does not have a HB, will be blocked. So this checkbox will block every IP, which does not have a HB. 

LuCar Toni said:

this checkbox will block every IP, which does not have a HB. 

for this and all rules that may come below this rule?

HB is not a selection criteria. Its a filter possibility within this rule. The traffic selection is already made (Source, Destination, service). 

so if a client request matches source, destination, service but it has not HB, without the checkbox "Block clients with no heartbeat" would it:

a) not apply this rule

b) not log a "block" in the log viewer

?

so if a client request matches source, destination, service but it has not HB, without the checkbox "Block clients with no heartbeat" would it:

a) not apply this rule

b) not log a "block" in the log viewer

?

If the rule applies (First match), XG considers your filter on the rule. 

The firewall rule and all things will be applied, no matter what. 

If the minimum HB is not met, it will be blocked.(You select minimum green, the client is RED). 

If the client does not HB and you select, block Client with no HB, it will be blocked.

sorry, I don't get it

Cannot see, how it really is useful in a real world scenario. Maybe I have to read your lines tomorrow again and have an anlightenment then. ;-)

"Block Clients without Heartbeat" = NAC with Sophos Endpoint.

Green/Yellow/No Restriction Minimum = In Case you clients only with a certain HB status in your network communicating. 

You need only one rule. Its not a selection criteria, instead only a on top control feature for your desired network.

You want only HB Clients to communicate through XG? Select the checkbox, XG will block everything else, what does not have a Endpoint installed. 

You want only green HB Clients talking to WAN? Select green as minimum requirement and block everything without. 

You have a mixed setup, some clients with EP, some without in one network. Dont select to block Clients without and use HB only if available. 

Thanks LuCar Toni.

So in this example I have indeed a mix of devices with and without HB that need to access a server.

Now this rule has been created by some other admin here:

Will a user of a device without HB be allowed to access the server? It should, right?

Only if the device had HB but was marked as HB RED, it would be denied, true?

That correct. The User with no Endpoint installed should be able to use this rule.