Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 5753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unknown Traffic (high bandwidth usage every hour for 2 minutes)

C.Schulze
Hi folks,

i have got some problem with one SG 105 (9.310-11).
Over weeks there is every hour (24/7) (inbound-) traffic for about 2 minutes. 
I used fitop for logging, but i could'nt see the internal device that do this request. On eth1 (external WAN) i see this:
The Firewall starts a request from Port 4244 to destination 216.137.59.33:80 (Amazon Cloudfront Server) and then the inbound traffic starts with ~3 Mb/s for 2 minutes. It is not every time the same Cloudfront-Server-IP, sometimes it was "server-216-137-63-35.lhr3.r.cloudfront.net"

I started for every other SG-interface a iftop-window to detect the requester, but with no success: no ip has a such high bandwidth usage, when the inbound traffic is high.
I cant see anything in firewall logs (queried for: ip, port).

Questions: What could it be? Does the FW drop the packets? How do i setup the firewall-logs to make that traffic visible there?

Thanks in advance.

Regards,
Christian


This thread was automatically locked due to age.
Parents
  • 0
    Hi everyone,

    it seems to be Sophos Pattern download cause this inbound traffic.
    As i could verify via system log, there are entries for these cloudfront server.

    2015:09:10-01:32:15 FW-GH-Berlin syslog-ng[22264]: Configuration reload request received, reloading configuration;
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Changeset 633 empty!
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_DefaultSophosUTMSupportHost
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDns****
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDnsServer2161
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDnsSophoLivec
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: Adding REF_NtpPool
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: No change to REF_NetDnsServer2161 :: server-216-137-63-35.lhr3.r.cloudfront.net


    Is it possible to make a multipathrule to get patterns through the second internet interface? There exists a multipathrule for "websurfing" through the second interface, but patterns comes via first interface.

    Thanks in advance.

    Regards,
    Christian
Reply
  • 0
    Hi everyone,

    it seems to be Sophos Pattern download cause this inbound traffic.
    As i could verify via system log, there are entries for these cloudfront server.

    2015:09:10-01:32:15 FW-GH-Berlin syslog-ng[22264]: Configuration reload request received, reloading configuration;
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Changeset 633 empty!
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_DefaultSophosUTMSupportHost
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDns****
    2015:09:10-01:32:15 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDnsServer2161
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: Adding REF_NetDnsSophoLivec
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: Adding REF_NtpPool
    2015:09:10-01:32:16 FW-GH-Berlin dns-resolver[4165]: No change to REF_NetDnsServer2161 :: server-216-137-63-35.lhr3.r.cloudfront.net


    Is it possible to make a multipathrule to get patterns through the second internet interface? There exists a multipathrule for "websurfing" through the second interface, but patterns comes via first interface.

    Thanks in advance.

    Regards,
    Christian
Children
No Data