I logged in to the UTM after getting back from an ice cream run. I noticed that there was a lot of bandwidth activity on all interfaces. (I did not think to see which direction it was going, and now it has "disappeared"). I opened the flow monitor and expanded unclassified and saw this:
I dug around the logs, but could not find this IP or that port. That port outgoing is NOT open.
OK, the mysterious source of the data has been found. It is on the Frontier network and is due to my wife watching VOD. She must have left it running when we went for an ice cream run.
Frontier uses the router for the TV to allow the guide. The subnet for the TV is different then the "Internet" side of the router. That explains why it was not in my logs. Looking up the correct subnet fixes the issue.
Sophos really needs to work on the csv output of logs, and the formatting of those outputs...especially the firewall. They also need to add in some more reports and allow for the creation of custom reports!!
OK, the mysterious source of the data has been found. It is on the Frontier network and is due to my wife watching VOD. She must have left it running when we went for an ice cream run.
Frontier uses the router for the TV to allow the guide. The subnet for the TV is different then the "Internet" side of the router. That explains why it was not in my logs. Looking up the correct subnet fixes the issue.
Sophos really needs to work on the csv output of logs, and the formatting of those outputs...especially the firewall. They also need to add in some more reports and allow for the creation of custom reports!!
