Most engineers think…
Most people picture the firewall and the endpoint as two separate products you happen to buy from the same vendor — the firewall guards the perimeter, the antivirus guards the laptop, and that is the end of it.
Sophos Synchronized Security breaks that wall down. The Sophos Firewall and the Sophos endpoints (Intercept X), both managed in Sophos Central, share live telemetry over the Security Heartbeat. The firewall always knows each endpoint's health, so a compromised host is automatically restricted or isolated and healthy machines stop talking to it — no analyst, no ticket, no waiting. Understanding that the network and the host act as one system is the whole point of the feature, and the thing interviewers want to hear.
① The problem — the firewall and the endpoint don't talk
In a traditional network the firewall and the endpoint are blind to each other. The firewall sees packets crossing the boundary but has no idea whether the laptop sending them is healthy or already owned. The endpoint agent sees the host in detail but cannot change anything on the network. Two sensors, zero conversation.
That gap has a cost. After a phishing click, malware can sit on a machine for minutes or hours — that delay is dwell time — and reach file shares and other PCs before anyone reacts. Worse, two machines on the same switch can infect each other without ever crossing the firewall, so the perimeter never sees the lateral movement at all. The endpoint knew, the firewall could have helped, but nobody told anybody.
Why is dwell time and lateral movement a problem on a traditional network?
② What the Security Heartbeat is — and the colour model
Synchronized Security closes that gap. The Security Heartbeat is a real-time telemetry channel that connects the Sophos Firewall to the Sophos endpoints, all orchestrated through Sophos Central. Over it the endpoints continuously report health and the firewall continuously reads it, so the network finally knows what the hosts know.
Health is a colour
Each endpoint shows the firewall one of three states. GREEN means healthy. YELLOW means potentially compromised — for example a PUA was detected or the agent is inactive. RED means compromised or under active threat. The firewall sees each endpoint's colour live, which is what lets the next step — automated response — actually happen.
The real-time channel carrying endpoint health, app identity and clean-up signals between Sophos Firewall and Sophos endpoints via Central.
Green = healthy, Yellow = potentially compromised (PUA or inactive agent), Red = compromised. The firewall reads each endpoint's colour live.
When a host goes red, healthy endpoints stop accepting its traffic — isolation enforced host-to-host, even on the same switch.
The firewall asks the endpoint to name the app behind 'Unknown' traffic, turning unclassified flows into identified applications.
In an interview, frame Synchronized Security as the firewall and endpoint acting as one system over the Security Heartbeat, orchestrated by Sophos Central. The headline is that the network reacts to host health automatically — green/yellow/red — without a human in the loop.
What does a YELLOW heartbeat status indicate?
③ Automated response — isolate the sick, protect the healthy
Knowing a host is red is only useful if something acts on it. In Sophos Firewall a rule can require a minimum heartbeat status for the source and/or destination. When an endpoint turns RED, the rule automatically restricts or isolates it — often limiting it to remediation destinations only — until it returns to green. The same rule can act on a missing heartbeat: a host that should be reporting but has gone silent.
Containment at two levels
The firewall handles traffic that crosses it, but Lateral Movement Protection handles the rest. When an endpoint goes red, the healthy endpoints stop accepting its traffic — isolation enforced by the endpoint agents themselves, not just the firewall. That contains the spread even between two machines on the same subnet or switch that never touch the firewall. Once Intercept X cleans the host and it reports green again, access is restored automatically.
The firewall heartbeat policy only acts on traffic that crosses the firewall. It cannot stop two machines on the same switch infecting each other — that is Lateral Movement Protection, enforced by the endpoints. Always name both layers.
▶ Watch an infected laptop get isolated, then restored
How one compromised endpoint is contained end-to-end. Press Play for the healthy path, then Break it to see the classic failure.
A red endpoint and a healthy one sit on the same switch and never cross the firewall. What stops the infection spreading?
④ Synchronized App Control — and setting it up without breaking it
The same channel solves a different blind spot. Pattern-based app control labels a lot of traffic as 'Unknown' or 'Unclassified' — custom apps, evasive tools, odd ports. With Synchronized App Control the firewall simply asks the endpoint which application produced that flow, turning those unknowns into named applications. The endpoint sees the process; the firewall gets the name. The Control Center also surfaces Source of Infection and Security Heartbeat reporting, and the firewall can trigger a clean-up on the endpoint over the link.
Set it up via Sophos Central
All of this needs the endpoints managed in the same Sophos Central account and registered with the firewall. Then you must enable the heartbeat requirement in the firewall rule itself. The classic failure: endpoints are not registered, or the rule never asks for a minimum heartbeat — so a red host is treated exactly like a healthy one and nothing is isolated. Register, then turn the heartbeat on in the rule, then test.
Priya at Mehta Logistics, Mumbai faces this
A finance laptop is hit by malware after a phishing click and keeps reaching internal file shares and other PCs for several minutes — Intercept X flagged it, but nothing on the network changed.
The endpoints report health to the firewall, but the firewall rule covering the finance VLAN has the minimum-heartbeat requirement left OFF, so a red host is treated like a healthy one.
In the Control Center the laptop shows RED, but the relevant firewall rule has no heartbeat option set — so the rule never triggers isolation and Lateral Movement Protection never contains the peer traffic.
Sophos Central ▸ Firewall ▸ Control Center ▸ Security Heartbeat, then Rules and Policies ▸ the ruleConfirm the endpoints are registered with the firewall in Central, then edit the rule to require a minimum source heartbeat and isolate a RED host (limit to remediation) until green; enable missing-heartbeat handling too.
Force a controlled detection — the laptop goes RED, the firewall isolates it, healthy endpoints stop accepting its traffic, and once Intercept X cleans it and it returns GREEN, normal access is restored automatically.
Never trust that Synchronized Security is working because the products are installed. Force a test detection and watch the host go RED in the Control Center and actually lose access. If it doesn't, the endpoints aren't registered or the rule has no minimum heartbeat.
Synchronized Security is configured but a red host is never isolated. What is the most likely cause?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why does Sophos call the firewall and the endpoint working together 'Synchronized Security'? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Synchronized Security
- Sophos's approach where the firewall and endpoints share telemetry over the Security Heartbeat and respond together as one system.
- Security Heartbeat
- The real-time channel that shares endpoint health, app identity and clean-up signals between Sophos Firewall and Sophos endpoints via Sophos Central.
- Heartbeat status
- An endpoint's live health colour — green (healthy), yellow (potentially compromised), red (compromised) — that the firewall reads.
- Heartbeat policy
- A setting in a firewall rule requiring a minimum heartbeat for source/destination, isolating a red or missing-heartbeat host until it goes green.
- Lateral Movement Protection
- Host-to-host isolation where healthy endpoints stop accepting traffic from a red one, containing spread even on the same subnet.
- Synchronized App Control
- The firewall asking the endpoint to name the app behind unknown/unclassified traffic, turning 'Unknown' flows into identified applications.
- Intercept X
- Sophos's endpoint protection that detects threats locally and reports health over the heartbeat.
- Sophos Central
- The cloud console that connects and manages the firewall and endpoints in one account.
- Source of Infection
- The Control Center view showing which host originated a detected threat.
📚 Sources
- Sophos — Synchronized Security: how Sophos Firewall and endpoints work together. sophos.com
- Sophos Firewall docs — Security Heartbeat and heartbeat configuration. docs.sophos.com
- Sophos Firewall docs — Configure a firewall rule with a minimum source/destination heartbeat. docs.sophos.com
- Sophos — Lateral Movement Protection in Synchronized Security. sophos.com
- Sophos Firewall docs — Synchronized Application Control. docs.sophos.com
- Sophos Central docs — Registering Sophos Firewall and managing endpoints. docs.sophos.com
What's next?
Now that the firewall and endpoint talk, the next gap is encrypted traffic. Next, go deep on Xstream TLS 1.3 inspection — how decryption rules and profiles let the firewall actually see inside HTTPS without breaking everything.