1.The purpose of the article
This article will guide configuring the Security Heartbeat feature, this feature will help the system to react and handle itself when something goes wrong in the network, helping administrators save time in troubleshooting. as well as avoid spreading viruses in the system.
- We have the internet connected to Port 2 of the Sophos XGS firewall device with IP 192.168.2.103.
- The LAN is configured at Port 1 with IP 10.146.41.1/24 and has been configured with DHCP to allocate to connected devices.
- Next in the LAN we will have 2 devices, a server running Windows Server 2016 called adserver, with an IP of 10.146.41.10/24 and installed Sophos Endpoint.
- The Windows 10 laptop is named DESKTOP-SJAJN20, has an IP of 10.146.41.100/24 and has Sophos Endpoint installed.
We will perform account synchronization on Sophos XGS to enable the Security Heartbeat feature, then configure this feature into the policy to allow internet access.
Then we will run a test virus file on a Windows 10 machine DESKTOP-SJAJN20 to check if Sophos XGS can disconnect this machine’s internet connection when detecting a virus or not and after successfully handling the virus. Will it return the internet connection to the device?.
4.What to do
- Log in to Sophos Central account on Sophos XGS.
- Configure Security Heartbeat feature in policy.
- Run the virus file on the Windows 10 machine and check if the computer has been isolated from the system.
- Check the automatic virus handling and return connection for Windows 10 computers.
5.1. Log in to Sophos Central account on Sophos XGS
Log in to Sophos Firewall’s admin page go to PROTECT > Central Synchronization and click Register.
Enter the account and password of Sophos Central in the Register device with Sophos Central panel and click Register.
Wait a few seconds, then the login is successful, now the Security Heartbeat feature will automatically be turned on.
After logging in and turning on the Security Heartbeat feature, we will go to MONITOR & ANALYZE > Control Center to see the status of computers updated with Security Heartbeat.
We will see that there are currently 2 devices sending Security Heartbeat signals to the Sophos XGS firewall and both of these devices are in the green state which means the device is currently in a safe state.
If the endpoint under the device detects a virus, it will immediately switch the device’s state and send this state to the firewall using Security Heartbeat so that the firewall will update the device’s status and depending on the level of the virus then the state can be changed to yellow or red.
When a device has a yellow or red status, you can click the icon in the Warning box (yellow status), Missing (red status) or At risk (red status) to see which device is having problems.
5.2. Configure Security Heartbeat feature in policy.
To configure the Security Heartbeat feature we need to go to the policy to configure, here we will go to the policy that allows devices in the internal network to access the internet to configure.
Go to PROTECT > Rules and policies > left-click on the policy name to edit.
We will pay attention to the Configure Synchronized Security Heartbeat section.
At Minimum source HB permitted with option GREEN means that when the device has green status, it can access the internet, while the devices with yellow or red status will be isolated and cannot access the internet and de-isolated only when the status of this device is no longer red.
With the option Block clients with no heartbeat, this option means that if a computer in the system does not have an endpoint installed, the Sophos firewall will isolate this device from accessing the internet as well as communicating with other devices in the same network subnet.
After the configuration is complete, click Save to save.
5.3. Run the virus file on the Windows 10 machine and check if the computer has been isolated from the system.
We will first ping to 18.104.22.168 to ensure that the computer is still accessing the internet with the status of Sophos Endpoint being green.
To download the virus test file go to eicar.com and click DOWNLOAD ANTI MALWARE TESTFILE.
Next click on eicar.com to download this virus test file.
After downloading, Sophos Endpoint will detect this virus. At this time, Sophos Endpoint will change the status of this computer to yellow and issue a warning as well as disconnect this computer’s internet access.
After changing the status of the computer with the virus to yellow, the Sophos Endpoint will send a Security Heartbeat signal to the Sophos firewall so that the Sophos firewall will update the status of this device.
To check the page we go back to the Sophos admin page, go to Dashboard > Security Heartbeat we will see that there is currently 1 machine in a yellow state Warning.
To see the details of which machine is in this state, we click on the number 1 in Warning now the Sophos firewall will display the information of the machine with a yellow status.
Sophos Endpoint will automatically process the virus file on that computer, after processing Sophos Endpoint will notify that the virus file has been Clean up and will return the status of this computer to green.
It will then send this computer’s status information to the Sophos firewall using Security Heartbeat and when the Sophos firewall updates the status of this computer to green, it will return the original internet connection to this computer.