Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 44 subscribers
  • Views 11427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • 0

    Another piece of information, based on the Reports sections:

    Risk: 5
Category: Proxy and Tunnel
Application/proto:port: Thunder VPN
Destination: 144.195.32.47      240 MB
             198.251.234.113    69 MB
             144.195.7.7        9 MB
             144.195.59.144     120 MB
             147.124.123.171    66 MB

    Those addresses all seem to belong to Zoom:

    144.195.32.0/24
AS30103 Zoom Video Communications, Inc

  • 0 in reply to Arie

    I am using Zoom on a daily basis but only saw those Thunder VPN entries once (22.07). 

    If i join a new meeting, it never gets classified in this category (anymore). Also those are odd time stamps for a zoom meeting (15:53, 11:08, 19:55, 21:09.). 

    Most likely i join a meeting on time or 1-2 minutes earlier. 

    It is always NTP Port 123 to Zoom. And i am not sure, when this traffic will be generated. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Hi,

    I haven't seem any thundervpn reports in logviewer since I upgraded the v18.5.1 MR-1 build 326 so in summary looks like IP4 might have been fixed, but not IPv6, I am still seeing manual proxy surfing in the IPv6 traffic.

    The upgrade was over 4 hours ago.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    That's interesting. I upgraded to build 326 yesterday and am still seeing the Thunder VPN / port 123 reports in the Application filter log.

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Hi,

    you are correct, they are still occurring. The is a 3.5 hour gap where none were reported, strange.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I need a pcap file of this traffic to provide the file to labs. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Please tell me how to capture a pcap file, i'll be more than happy to provide it to you.

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, got the file, how to deliver it to you?

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    Also have a file. Zipped and sent in PM

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thnx Ian, zipping did the trick.

    Also sent it by PM to

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0 in reply to Peter-Paul Gras

    I am not sure what will be found in my file because the faulty transactions are blocked by firewall rules. I was not able to capture any transactions using pcap.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data
Cookie Information Banner