Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 11126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophos heartbeat blocks SEP users when disconnecting ethernet

MichaelGombos

Hello,

Users are blocked for a minute plus when they disconnect from the office wired network by our XG firewall heartbeat. Turning off and turning their wireless back on will sometimes fix the issue, but mostly they'll just have to wait. I'm opening a ticket with them to see if we can disable that particular rule, but I was wondering if Sophos Endpoint Protection can be detected on all active interfaces and not just the active connection? I'm not very knowledgable about how the heartbeat works, but please let me know if this is possible.

Currently affected versions are windows 11.5.4. Some Mac version have been affected in the past.



This thread was automatically locked due to age.
Parents
  • 0

    Michael,

    yours is a nice question. I will give you my advice and how hearbeat works:

    • XG and Ednpoints communicate with Sophos Central
    • A secure communication between XG and Computers is established
    • XG takes only the computers declared inside the Sophos Central
    • XG reads the status of endpoint and decides the action to take

    I guess that you are using "Missing heartbeat" on firewall rules and Missing Hearbeat zones. Because the relation works using Mac-Address, the computer is already registered with an IP (so the associate MAC-ADDRESS) inside Sophos Central and the same computer tries to register with another network card (different IP), XG and Sophos Central thinks that a spoofing is occuring.

    So the only way to force the same computer to reauthenticate is to switch the primary connection off and connect using another connection. Remember that every 15 seconds a HB message is exchanged so, your disconnect/connect operation must be longer than 15 seconds.

    This is my point of view but Support or can confirm or add extra information.

    Regards

Reply
  • 0

    Michael,

    yours is a nice question. I will give you my advice and how hearbeat works:

    • XG and Ednpoints communicate with Sophos Central
    • A secure communication between XG and Computers is established
    • XG takes only the computers declared inside the Sophos Central
    • XG reads the status of endpoint and decides the action to take

    I guess that you are using "Missing heartbeat" on firewall rules and Missing Hearbeat zones. Because the relation works using Mac-Address, the computer is already registered with an IP (so the associate MAC-ADDRESS) inside Sophos Central and the same computer tries to register with another network card (different IP), XG and Sophos Central thinks that a spoofing is occuring.

    So the only way to force the same computer to reauthenticate is to switch the primary connection off and connect using another connection. Remember that every 15 seconds a HB message is exchanged so, your disconnect/connect operation must be longer than 15 seconds.

    This is my point of view but Support or can confirm or add extra information.

    Regards

Children