Worried - my XG firewall has been pegging my 3Mb DSL line for over 24 hours

Starting over 24 hours ago, my XG firewall has my 3Mb/sec DSL line pegged downloading. The firewall itself is downloading. I've confirmed that it is not an inside host causig the traffic by monitoring the traffic on the LAN switch port that XG is connected to, the XG inside and outside interfaces, and by XG graphs - all ow which show 3Mb on the WAN interface, but almost nothing on the LAN side.

 

I've done a packet capture and can see the IP address XG is downloading from: 13.33.126.23 which resolves to server-13-33-126-23.ord50.r.cloudfront.net.

 

I'd like to think that this is just XG doing some sort of updates, but I can't believe it would be using this much data. Has my XG been hacked? I don't allow any management access from the outside interface.

  • Hi,

    how old is your XG and what version of software are you running?

    Ian

  • In reply to rfcat_vk:

    Installed a couple of months ago. SFVH (SFOS 17.5.7 MR-7)

  • In reply to KenCornetet:

    Hi,

    a 3Mb/s line is very slow for updates. A 3Mb/s line is only at the best 400KB/s and mixed in with other traffic any pattern updates will take considerable time. I suggest you change the update refresh to something like every 4 hours or more.

    Ian

  • In reply to rfcat_vk:

    Trust me, I know 3Mb is slow (but I'm not complaining - I was on dialup for a long time). but even 300KB/sec is 26 GIGABYTES over 24 hours. I doubt very seriously that SOphos has pushed 26 GB of updates over the last few days.

  • In reply to KenCornetet:

    More than likely your connection to the update databases is timing out and restarting over and over.

    Ian

  • In reply to rfcat_vk:

    I don't see any unusual messages in the system log. But this does sound possible. I've noticed that the traffic runs at a constant 3Mb for about 90 minutes, then drops off for a few minutes, then picks back up again. That does sound like some kind of retry

     

    How would I troubleshoot this?