Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
Parents
  • 0

    I'm running a Master/Slave combination of two UTM220 for a network on a ship, our data connection is via VSAT and this problem often saturates our uplink at 2Mbps.  I too was hoping that the latest update would solve the issue but it is ongoing.  It is affecting our QoS as page requests are often struggling to leave the ship.

    At first I believed that the Sophos UTM had been compromised in some way however I am unsure.  It is sending a tremendous amount of data; 2Mbps may not seem like a lot but aggregated we must be in the hundreds of GBs by now.

    Has anyone managed to inspect the packets yet?

Reply
  • 0

    I'm running a Master/Slave combination of two UTM220 for a network on a ship, our data connection is via VSAT and this problem often saturates our uplink at 2Mbps.  I too was hoping that the latest update would solve the issue but it is ongoing.  It is affecting our QoS as page requests are often struggling to leave the ship.

    At first I believed that the Sophos UTM had been compromised in some way however I am unsure.  It is sending a tremendous amount of data; 2Mbps may not seem like a lot but aggregated we must be in the hundreds of GBs by now.

    Has anyone managed to inspect the packets yet?

Children