Understanding IPs counted as a 'active ip', license-wise

Hi,

Having read many posts/articles on Active IP count on astaro, we are still wondering if what we understand is accurate.

Our situation: We have a /24 range of public IPs, of which currently approx 2/3 are actually used, but almost all of them appear in the active IP list. We understand that packets with a source OR DESTINATION of an utm-interface-ip-range are logged and counted as an active ip.

We assumed that as long as an ip is not used (=never sends anything, never exists on our network) it would not be considered as Active.

To our surprise we see in the Active IP list many addresses that we have not (recently, last months) used. Why are these IPs there?  Could it be because in the last seven days, someone from somewhere randomly decided to do a ping/connection attempt to that (public but unused) IP address, thus adding the IP to our Active IPs list?

This would mean that anyone can basically do a DoS attack on our network, by pinging/connecting to unused public IPs behind our UTM -> filling up our list of Active IPs -> exceeding our sophos license count. Right?! That could cause some very annoying trouble...

Does it really work like that? And if yes, is there a way to exclude IPs that are public, but not in use?

  • Basically this is the legal perspective:

    https://www.sophos.com/en-us/legal/license-entitlement-and-usage-policy.aspx

     

    3. 'User' means an employee, consultant or other individual who benefits from the Licensed Product.
    NOTE: The Product does not have to be physically installed on the User's computer environment in order to provide benefit to the User.

     

    When a User communicates with or through the gateway (including without limitation DNS and DHCP queries to the gateway and communications both to the Internet and a different LAN segment), their IP address is added to list of licensed devices in the gateway’s local database. If several Users communicate through a single device then every User is counted as a separate User. If an IP address has not been used in the last seven (7) days, it is removed from the database.

     

    FullGuard

    Subscription

    per User

  • In reply to LuCar Toni:

    Hi Toni,

    Thanks for your reply, but I am not sure how it answers my question.

    I am talking about not-recently-used public IPs, within our /24 public subnet that are listed as "Active IPs"

    We are wondering how they end up there, and our current hypothesis (having read quite a few posts / articles on the subject) that anyone from anywhere can try to ping/connect  to one of our unused-public-ip, and this causes them those IPs to become registered as an "Active IP".

    Our question is: is the above true? An what can we do (if anything) to prevent this, as we feel that IPs which we are not using on any machine should not be seen/counted as Active IPs, for our license.

  • In reply to mourik jan heupink:

    Hoi Mourik Jan,

    I haven't heard of this problem before.  It sounds like you have a DMZ with public IPs.  Instead of a firewall rule that allows all of the /24 through, what happens if you only allow the IPs that are in use?

    Cheers - Bob

  • In reply to BAlfson:

    Hi, yes this is de case. There are many (255) public IPs behind the sophos UTM. You could call it a DMZ with public IPs, but also our regular workstations are using public IPs. We don't allow the /24 through, we allow only specific ports to specific IPs. The others are dropped on the firewall, mostly because of the default DROP.

    Of course our internal network nic has a /24 IP assigned to it, and I guess that's why any drop to an internal (but public) IP is counted as an "Active IP", that is at least the only explanation we can think of. We feel this behaviour is not optimal, and are currently also in contact with Sophos support, to see how they feel about this. (or if perhaps there is something else causing this behaviour)

    The situation is that we are constantly (permanently) seeing 251 active IPs, and there are only around 200 IPs actually in use.

    If a (non answered) ping or connection attempt would be counted for an "active IP", then we are no sure if dropping it as you suggested would solve it. (the IP would still show up in the logs, and counted, right..?)

    Is there any indication in a log file that would show an IP becoming counted as 'active'? Anything we can search for?

  • In reply to mourik jan heupink:

    The only thing I know of to check active IPs is:

    /usr/local/bin/count_active_ip.plx --showcount

    The only solution I can think of to your problem would be to put another UTM with the free Essential license in front of your UTM.  You wouldn't need a very powerful computer to just do firewalling.  Any luck with that?

    Cheers - Bob

  • In reply to BAlfson:

    Hi BAlfson,

    That command gives the same information as present in the web interface.

    Your idea sounds interesting, but would be a SPoF before the HA UTM. I'd rather like to avoid that if possible.

    Sophos escalation team is currently looking into this issue, and hopefully they have a proper solution. If IPs are not in use, they should not be counted as active, we feel it is as simple as that.

    Thanks a lot for thinking along with us! If any interesting update from sophos escaltation team, I will post it here.

    (for the archives: their first suggestion was to increase dhcp lease duration to one day, but this doesn't seem to help)

  • In reply to mourik jan heupink:

    I'm interested in what Sophos' reaction will be; in the past (and maybe still as of now) just running an ip-sniffer inside your own LAN could lead to an entire subnet (or more) of IP's being added to the counted list.