Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 1 answer
  • Subscribers 11 subscribers
  • Views 59862 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unwanted traffic originating at UTM

KlausBeulen

Hi all,

since a few days I have a problem with unwanted traffic originating at the external interface of my UTM. It's destination addresses are from 17.0.0.0/8 (Apple?), the traffic seems to be HTTP (port 80), the application is classified as "doof" (see also screenshots):

1) Does anyone have an idea why the UTM communicates with these addresses?
2) How can I block this traffic (I tried a simple FW rule with the external interface as source, and also an application control rule, but both did not block it).

Any idea?

Thanks a lot,
    Klaus.



This thread was automatically locked due to age.
Parents
  • 0

    I'm running a Master/Slave combination of two UTM220 for a network on a ship, our data connection is via VSAT and this problem often saturates our uplink at 2Mbps.  I too was hoping that the latest update would solve the issue but it is ongoing.  It is affecting our QoS as page requests are often struggling to leave the ship.

    At first I believed that the Sophos UTM had been compromised in some way however I am unsure.  It is sending a tremendous amount of data; 2Mbps may not seem like a lot but aggregated we must be in the hundreds of GBs by now.

    Has anyone managed to inspect the packets yet?

  • 0 in reply to KieranJames

    Does adding this exception in still block the traffic or just hide it from reporting it ? 

  • 0 in reply to SimonGoode

    I have the traffic allowed, but bandwidth limited. I'm not in front of a UTM currently but I believe whether it is allowed depends on the firewall packet filter settings and there may be a check box below the transparent proxy setting to allow the traffic.

  • 0 in reply to SimonGoode

    I have checked with our VSAT service provider's traffic statistics and the reported traffic does not appear since just after the modification.  However there has been a few other changes along with the updates for the UTM.  So I cannot say with 100% certainty that this fixed the problem.  However the problem does not seem to exist anymore.

Reply
  • 0 in reply to SimonGoode

    I have checked with our VSAT service provider's traffic statistics and the reported traffic does not appear since just after the modification.  However there has been a few other changes along with the updates for the UTM.  So I cannot say with 100% certainty that this fixed the problem.  However the problem does not seem to exist anymore.

Children
No Data