IPS on Endpoint - Heartbeat XG IPS offloading
Having now IPS on Endpoint, means that behind an XG FW with its own IPS activated there's a certain overlap (double check) of certain IPS patterns.
Proposal: use the heartbeat (synch security) to check whether or not the endpoint is sitting behind an XG FW with IPS enabled. If so, the endpoint doesn't have to check them again and can save some resources.
Great idea, though that is assuming all badness comes from outside the network. An insider threat, or an external attacker with a foothold inside the network could launch attacks internally to move laterally and infect/attack additional hosts. In that case, those malicious packets may not traverse through the perimeter XG firewall. If Endpoint IPS is disabled due to being behind an XG, there is a risk of false negatives.
If Sophos could implement something whereby packets are marked as being checked by the XG IPS (some kind of flag perhaps?) that may help, but a bad guy with scapy could easily craft a packet with the marker set and bypass the endpoint IPS.