Why do blocked applications show downloaded data in daily reports

Depending on the data and the amount, Handshakes etc. can fill up the data to this amount until XG can call a block/deny. 

1/2 MB sounds like this amount of data. 

Thank you for the suggestion.

But, why doesn't it show in  logviewer?

Ian

Hi,

today's report for yesterday shows over 10MB download for a blocked application. Something not quite right!

Ian

It should show those connection as blocked. But the amount of the data is still transferred.

Look at the blocked application, there should be a filter for data transferred. 

rfcat_vk said:

today's report for yesterday shows over 10MB download for a blocked application. Something not quite right!

This sounds correct.

Most of the L7 Applications can't be identified directly at the handshake, or even at the first's packets. Some data need to flow through the firewall - so It can correctly identify It.

Thank you guys, nice try but fails badly. Why when blocked does the application download 20-30 times the amount of data before it was blocked?

Which logviewer report should show the downloaded data, the entries I have checked show no dta.

Ian

Its no "real downloaded data". Its simply the handshake and tcp frames, which will be transited the whole time until XG can close the connection.

So properly if you have thousand of applications trying to run in a day, there can be easily come 1-10 mb data. 

Hi LuCar,

your explanation might seem logical to you, but to me no.

Before being blocked.

After being blocked.

Ian

Hi LuCar,

your explanation might seem logical to you, but to me no.

Before being blocked.

After being blocked.

Ian

Isn't Sophos XG also counting the bandwidth of retransmission's ?

The connection would get reset by the firewall, and the application would try to re-establish the connection with the server multiple times.

*Just a guess.

So that gives a false impression that the block policy isn't working if you look at the application part of the reports, not the blocked  applications. The blocked application still show in the risk part of the report which would also lead people to believe the application is not blocked.

Ian

If you could create a tcpdump to such a host, we could actually see, what is going on. My first assumption is, this application tries to dial in all the time (reconnect timeout of X mins). This generates a bunch of traffic compared to "connected and sending a keep alive".