Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why do blocked applications show downloaded data in daily reports

rfcat_vk

Hi folks,

I have a coupe of applications blocked by web and application policies. They show in the daily reports as being blocked.

Logviewer shows them as being blocked

The question is why do they show in the daily reports as downloading data? The amount of data which is usually between 1 and 2 MB is not the issue, it is why and how do I find which device is downloading the data?

Ian 



This thread was automatically locked due to age.
Parents
  • 0

    Depending on the data and the amount, Handshakes etc. can fill up the data to this amount until XG can call a block/deny. 

    1/2 MB sounds like this amount of data. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for the suggestion.

    But, why doesn't it show in  logviewer?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    today's report for yesterday shows over 10MB download for a blocked application. Something not quite right!

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    It should show those connection as blocked. But the amount of the data is still transferred.

    Look at the blocked application, there should be a filter for data transferred. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    today's report for yesterday shows over 10MB download for a blocked application. Something not quite right!

    This sounds correct.

    Most of the L7 Applications can't be identified directly at the handshake, or even at the first's packets. Some data need to flow through the firewall - so It can correctly identify It.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    Thank you guys, nice try but fails badly. Why when blocked does the application download 20-30 times the amount of data before it was blocked?

    Which logviewer report should show the downloaded data, the entries I have checked show no dta.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Its no "real downloaded data". Its simply the handshake and tcp frames, which will be transited the whole time until XG can close the connection.

    So properly if you have thousand of applications trying to run in a day, there can be easily come 1-10 mb data. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar,

    your explanation might seem logical to you, but to me no.

    Before being blocked.

    After being blocked.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Isn't Sophos XG also counting the bandwidth of retransmission's ?

    The connection would get reset by the firewall, and the application would try to re-establish the connection with the server multiple times.

    *Just a guess.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    So that gives a false impression that the block policy isn't working if you look at the application part of the reports, not the blocked  applications. The blocked application still show in the risk part of the report which would also lead people to believe the application is not blocked.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    If you could create a tcpdump to such a host, we could actually see, what is going on. My first assumption is, this application tries to dial in all the time (reconnect timeout of X mins). This generates a bunch of traffic compared to "connected and sending a keep alive". 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to rfcat_vk

    If you could create a tcpdump to such a host, we could actually see, what is going on. My first assumption is, this application tries to dial in all the time (reconnect timeout of X mins). This generates a bunch of traffic compared to "connected and sending a keep alive". 

    __________________________________________________________________________________________________________________

Children
No Data