We've replaced a SG by XGS 18.5 MR3 and there is now massive false positive detection of Torrent Client P2P traffic by application filter.
Most firewall rules for internal traffic have the default Application filter applied: "Block high risk (Risk Level 4 and 5) apps"
We needed to disable that for all internal rules because normal Windows Active Directory, Fileserver or SQL Server access is detected as Torrent Client P2P.
The Endpoints are running Intercept-X Adv.
messageid="17051"
log_type="Content Filtering"
log_component="Application"
log_subtype="Denied"
fw_rule_id="53"
user=""
user_group=""
appfilter_policy_id="7"
category="P2P"
app_name="Torrent Clients P2P"
app_risk="5"
app_technology="P2P"
app_category="P2P"
src_ip="172.16.xxx.xxx"
src_country="R1"
dst_ip="192.168.xxx.xxx"
dst_country="R1"
protocol="TCP"
src_port="389"
dst_port="58602"
bytes_sent="0"
bytes_received="0"
status=""
message=""
appresolvedby="Signature"
This is useless the way it is. Why is this false positive happening and what is needed for Sophos to resolve this? I cannot imagine we're having special network communication.
This thread was automatically locked due to age.
