Sophos XG constantly querying Google domains, why?

I'm also seeing the below in the Sophos logs... Seems to coincide. Could XG be trying to use Google to do a look up for the IP's trying to connect? I can't imagine that being the case but it's all i can comeup with for now.

I've checked each IP listed and they're all linked to Cyren Inc/Commtouch.

I'm also seeing the below in the Sophos logs... Seems to coincide. Could XG be trying to use Google to do a look up for the IP's trying to connect? I can't imagine that being the case but it's all i can comeup with for now.

I've checked each IP listed and they're all linked to Cyren Inc/Commtouch.

Found another discussion regarding Commtouch\Cyren...

https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/101128/commtouch-ip-addresses-being-blocked-by-xg

There doesn't seem to be a conclusion or fix however.

If anyone can explain any of this it'd be greatly appreciated.

Best regards

TheBeardedOne

EDIT: These two issues aren't linked. After changing the DNS server on the Sophos to Google DNS the logs on the Pi-Hole stopped coming through, but the logs on the Sophos relating to Commtouch\Cyren continue to come through thick and fast.

Hi,

rule 0 is a default rule in the XG which collects things like you are seeing and other ports that cannot find a matching rule. In theory you can ignore them unless they make a large percentage of your bandwidth.

Ian

More likely this is caused by Invalid Traffic blocking.

https://community.sophos.com/kb/en-us/131754

Adjust the timeout and you should see less blocks. 

Thank you both for getting back to me.

So that probably explains the constant invalid traffic entries. I'll experiment with altering the timeout to see if it reduces the number of entries in the log.

All in all the Sophos XG VM is generating no more than approx 50Kbps of traffic per 2 hours which is insignificant. The issue is the saturated logs.

As for why XG is constanlty querying Google domains, any ideas?

Cheers

These are preconfigured fqdn hosts for Chromebook SSO. It will periodically do a lookup for them to populate the right IP addresses.

Thanks MasterRoshi,

Is there anyway to prevent it?

Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

Legendary! Didn't even know that was there...

Something to play aorund with.

Thanks again Roshi!

MasterRoshi said:

Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

Hi, I have a XG Firewall home with 3 APX320 WiFi AP's, one for each floor of my home.

I have that exact same problem than "TheBeardedOne".  I see in my pi-hole query list that every five minutes, my 3 APX320 query www.google.com within the same minute. I tried turning all WiFi devices off, so that none could be the source of the queries. I also tried deleting every single google FQDN host in the list. Unfortunately my APX320 access points still query "www.google.com" every 5 minutes.

I cannot figure out what's the exact source of these queries.

Any idea ?

Many thanks to the community!

Hi,

if you review logviewer firewall log you should see the source and destination of your traffic. What DNS are you using on the XG andd your clients?

Ian