In Sophos XG with Synchronized Security enabled, you might face a challenge when your Endpoints appear in the Control Center panel in red (Risk) from the first moment of installation of either, and that the status does not change to green (Connected) even after reboots, etc. This can be due to different scenarios, from a bad configuration, a fault like the reported WINEP-11654 bug, lack of communication between your XG and Sophos cloud, or, finally, a real risk in the Endpoints.
I will summarize the health states and meaning of the colors in the Control Center to get a clearer idea of how to read these messages:
You should take action if one or more of the following problems occur:
- Active malware detected
- Malware in execution detected
- Malicious network traffic detected
- Communications sent to a known bad host are detected
- Malware not removed
- Sophos security software not working correctly
If you are concerned about systems integrity, you should take action if one of the following problems occurs:
- Inactive malware detected
- Potentially unwanted application detected
You do not need to do anything.
In the event that the Control Center always reports equipment at risk (all, or almost all devices), the first thing would be to make sure that we have the latest firmware and software versions on both the Appliance and the Endpoints installed, and that the Endpoints appear correctly connected and without anomalies in the cloud. If this is the case, we will rule out that there is a widespread infection on the network.
At this point, we would check the communication status between the XG and the Syslog servers in Sophos Cloud. Note that the Heartbeat port that XG uses to communicate with Central Management is 6514 in addition to the HTTPS port 443 protocol.
If we do not have communication through 6514 for any reason, such as if we were behind a NAT, the Heartbeat communication would never work.