Synchronized Security is Sophos's most technically differentiated feature — and one of the most misunderstood. This guide explains exactly how it works, what it requires to set up, and why it matters for Indian businesses dealing with ransomware and lateral movement threats.
What Is Synchronized Security?
Synchronized Security is a Sophos-patented framework where the XGS Firewall and Sophos Endpoint Protection exchange real-time security status information through Sophos Central.
The mechanism is called the Security Heartbeat: a persistent communication channel between Sophos Intercept X (or Sophos Endpoint) installed on a device and the XGS Firewall. The heartbeat transmits health status in three states:
| Heartbeat Status | Colour | Meaning |
|---|---|---|
| Green | 🟢 | Device is clean; no threats detected |
| Yellow | 🟡 | Device has potentially unwanted apps (PUAs) or suspicious activity |
| Red | 🔴 | Active malware detected; device is potentially compromised |
The XGS Firewall uses these heartbeat signals to enforce automated firewall policies. For example, a Lateral Movement Protection policy can instruct the firewall to:
- Yellow heartbeat: Log and alert, but allow traffic
- Red heartbeat: Immediately isolate the device from all network communication except Sophos Central
This isolation happens automatically — in seconds — with no manual firewall rule change, no SIEM alert response, no IT admin involvement required.
Why This Matters — The Ransomware Problem
Traditional firewalls protect the network perimeter. They inspect traffic entering and leaving the network. What they cannot do is monitor what happens inside the network between two already-connected devices.
Ransomware typically works in stages:
- Initial infection via email phishing or malicious download (bypasses perimeter firewall)
- Lateral movement — the malware searches for other devices, file shares and domain controllers
- Data exfiltration (sometimes)
- Mass encryption of files across multiple devices simultaneously
Stage 2 — lateral movement — is where Synchronized Security provides a unique capability. When Sophos Endpoint detects the malware at stage 1, it sends a red heartbeat to the firewall. The XGS Firewall immediately isolates the device at stage 1 or early stage 2 — before the malware can communicate laterally to other devices.
Without Synchronized Security, the firewall would have no knowledge of the endpoint compromise. The infected device would continue communicating freely with other devices on the same network segment until a human detected and responded to the threat.
Technical Requirements
What You Need
- Sophos XGS Firewall — any model, running SFOS 18.5 or higher (all current models ship with SFOS 20.x)
- Sophos Endpoint Protection — specifically:
- Sophos Intercept X (recommended — adds advanced EDR and AI detection)
- Sophos Endpoint Protection (older, basic endpoint agent — heartbeat supported but limited)
- Sophos Central — the cloud management platform (included with Xstream Protection bundle for firewall; separate licence for endpoint)
- Both devices (firewall + endpoint) must be registered to the same Sophos Central account
Supported Endpoint Operating Systems
- Windows 10 and 11 (all editions)
- Windows Server 2016, 2019, 2022
- macOS 12 (Monterey) and later
- Linux (RHEL 7+, Ubuntu 18.04+, CentOS 7+)
The heartbeat agent is installed as part of the Sophos Endpoint client — no separate software required.
How to Set Up Synchronized Security
Step 1: Register Both Products in Sophos Central
Both your XGS Firewall and your Sophos Endpoint licences must be active under the same Sophos Central account. If you purchased both from Cloudfy, we register both in your account as part of deployment.
- Log into my.sophos.com (your Sophos Central portal)
- Navigate to Firewall Management — your XGS should appear after the firewall is activated
- Navigate to Endpoint Protection — your endpoint devices appear after the Sophos Intercept X agent is installed
Step 2: Enable Security Heartbeat on the Firewall
In the XGS Firewall web admin console:
- Go to System Services → Security Heartbeat
- Toggle Enable — the firewall registers with Sophos Central and starts accepting heartbeat signals from endpoints
Step 3: Configure Lateral Movement Protection Policy
This is the policy that tells the firewall what to do based on heartbeat status.
In the XGS Firewall admin:
- Go to Protect → Rules and Policies → Lateral Movement Protection
- Create a new policy:
- Yellow heartbeat: Choose Alert (log the event but don't restrict)
- Red heartbeat: Choose Restrict — this isolates the device to only Sophos Central communication
The "restrict" action blocks all network traffic from/to the device except:
- DNS (UDP 53) — so the device can still resolve names
- DHCP — so the device can renew its IP
- Sophos Central communication (port 443 to Sophos Central endpoints)
This isolation is intentional: Sophos Central needs to communicate with the endpoint to deliver the cleanup task and restore the device to a green heartbeat state.
Step 4: Enable Endpoint Isolation (Sophos Central)
In Sophos Central (not the firewall):
- Go to Endpoint Protection → Policies → Threat Protection
- Enable Endpoint Isolation — this allows Sophos Central to instruct an endpoint to self-isolate (separate from the firewall isolation)
When both are enabled, you have layered isolation:
- Firewall isolation: blocks network traffic at the switch/firewall level
- Endpoint isolation: the Sophos client on the device itself blocks inbound/outbound connections
Step 5: Test the Configuration
Cloudfy recommends a live test after deployment:
- Use Sophos's EICAR test file to simulate a detection on a test machine
- Verify that the test machine receives a red heartbeat in Sophos Central
- Verify the XGS Firewall's Lateral Movement Protection logs show the device as restricted
- Verify the test machine cannot ping other network devices during the restriction
- Clean the test file and verify the device returns to green heartbeat
This takes 10–15 minutes and confirms the end-to-end configuration is working.
Security Heartbeat in Sophos Central Dashboard
In Sophos Central, the Security Posture dashboard shows an aggregate view of heartbeat health across all endpoints. You can see:
- Number of devices with green, yellow and red heartbeats in real-time
- Timeline of heartbeat colour changes
- Which specific devices triggered a red heartbeat and when
- What threat was detected (from the Intercept X alert)
This cross-product visibility is a genuine operational improvement for IT teams — you don't need to pivot between the firewall logs and the endpoint console separately.
Common Questions
Does Synchronized Security require both products to be from Sophos?
Yes. Security Heartbeat is a proprietary Sophos protocol. It only works between:
- Sophos XGS Firewall (or SG/XG series with SFOS)
- Sophos Intercept X or Sophos Endpoint Protection
If you have a Fortinet firewall and Sophos Endpoint, there is no heartbeat integration. If you have a Sophos firewall and CrowdStrike endpoint, there is no heartbeat integration.
Does the firewall need to see the heartbeat source IP?
The endpoint agent communicates with Sophos Central over the internet. The firewall queries Sophos Central for the heartbeat status of devices it sees on the local network, matched by IP address. This means:
- Devices on the same subnet as the XGS Firewall's LAN/VLAN interface can participate in heartbeat
- Remote devices connected via VPN also participate (Sophos VPN integration)
- Devices on network segments not visible to the firewall (behind a separate router) may require additional configuration
What if Sophos Central is unreachable?
If Sophos Central is temporarily unreachable (internet outage), the firewall continues to operate with the last known heartbeat states cached locally. The lateral movement protection policies remain active. New heartbeat updates resume once Central is accessible. The firewall never goes into a "lockdown mode" due to Central unreachability.
Does it work with VPN clients?
Yes. Sophos SSL VPN and IPSec remote users with the Sophos VPN client installed also participate in Security Heartbeat. Remote devices connecting over VPN can trigger firewall isolation if a red heartbeat is detected — preventing a compromised remote device from pivoting into the corporate network.
Real-World Impact for Indian Businesses
Indian businesses face specific threat patterns:
- Phishing emails remain the most common initial infection vector — often disguised as GST notices, EPFO communications or courier tracking
- Ransomware targeting SMBs has increased — attackers know SMBs are less likely to have a 24/7 SOC
- Lateral movement within flat networks (common in older office setups with a single network segment) is a primary amplification mechanism
Synchronized Security addresses the lateral movement risk specifically — without requiring a dedicated security operations centre or SIEM investment. For an Indian SMB with 20–200 users and no in-house security team, automated device isolation via Security Heartbeat provides a level of protection that would otherwise require a managed security service.
Setup Summary Checklist
- Sophos XGS Firewall active and registered in Sophos Central
- Sophos Intercept X deployed on all endpoints (Windows/Mac/Linux)
- Both products registered to the same Sophos Central account
- Security Heartbeat enabled on XGS (System Services → Security Heartbeat)
- Lateral Movement Protection policy configured (Yellow: Alert, Red: Restrict)
- Endpoint Isolation enabled in Sophos Central Threat Protection policy
- End-to-end test completed with EICAR test file
- IT team trained on Sophos Central Security Posture dashboard
For Sophos XGS Firewall deployment with Synchronized Security configuration, contact Cloudfy Systems — your authorised Sophos Firewall partner in India.
Phone/WhatsApp: +91 97600 50555
Email: connect@cloudfysystems.com