I have just started looking into collecting flow information from our Sophos UTM 9. From my understanding of flows (and please let me know if I am just wrong, since this is new to me), I should see flow information such as:
SrcIP DstIP SrcPort DstPort
192.168.1.1 192.168.1.2 53000 53
192.168.1.2 192.168.1.1 53 53000
Instead, what I am seeing is:
SrcIP DstIP SrcPort DstPort
192.168.1.1 192.168.1.2 53000 53
192.168.1.2 192.168.1.1 53000 53
As you can see, the source and destination ports on the second flow are still using the source and destination ports for the first flow. I have picked the ports at random. The same behavior is occurring for every source and destination port combination.
I have a wireshark capture of the flow packets, and I see this data in the packets, so it is not an issue with my flow collector.
I am using firmware version 9.306-6
This thread was automatically locked due to age.