Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 43 subscribers
  • Views 7967 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG constantly querying Google domains, why?

TheBeardedOne

Hi all,

First post here, hopefully I can be a contributing member of the communty. For now I have a question for you guys.

I'm slowly getting round to setting up Sophos XG Home to replace my router. It's currently connected to my home network via it's WAN port, with the LAN port creating a new network on the backend for testing. The WAN link is assigned an IP address etc via DHCP from the current router. I have recently setup Pi-Hole with Unbound which is handling all DNS queries on the primary LAN.

The question is as described in the subject. Why is Sophos XG constantly querying Google domains? I have made sure there is nothing else on the LAN side of the Sophos VM.

Call me paranoid, but i dont like the idea of anything on my network having constant communication with Google, or anything else for that matter, certainly without me knowing.

Does anyone have any ideas why it's happening, and whether I can stop it?

TIA

TheBeardedOne



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to TheBeardedOne

    Hi,

    rule 0 is a default rule in the XG which collects things like you are seeing and other ports that cannot find a matching rule. In theory you can ignore them unless they make a large percentage of your bandwidth.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    More likely this is caused by Invalid Traffic blocking.

    https://community.sophos.com/kb/en-us/131754

    Adjust the timeout and you should see less blocks. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you both for getting back to me.

    So that probably explains the constant invalid traffic entries. I'll experiment with altering the timeout to see if it reduces the number of entries in the log.

    All in all the Sophos XG VM is generating no more than approx 50Kbps of traffic per 2 hours which is insignificant. The issue is the saturated logs.

    As for why XG is constanlty querying Google domains, any ideas?

    Cheers

  • +1 in reply to TheBeardedOne

    These are preconfigured fqdn hosts for Chromebook SSO. It will periodically do a lookup for them to populate the right IP addresses.

  • 0 in reply to MasterRoshi

    Thanks MasterRoshi,

    Is there anyway to prevent it?

  • +2 in reply to TheBeardedOne

    Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

  • 0 in reply to MasterRoshi

    Legendary! Didn't even know that was there...

    Something to play aorund with.

    Thanks again Roshi!

     

  • 0 in reply to MasterRoshi

    MasterRoshi said:
    Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

    Hi, I have a XG Firewall home with 3 APX320 WiFi AP's, one for each floor of my home.

    I have that exact same problem than "TheBeardedOne".  I see in my pi-hole query list that every five minutes, my 3 APX320 query www.google.com within the same minute. I tried turning all WiFi devices off, so that none could be the source of the queries. I also tried deleting every single google FQDN host in the list. Unfortunately my APX320 access points still query "www.google.com" every 5 minutes.

    I cannot figure out what's the exact source of these queries.

    Any idea ?

    Many thanks to the community!

  • 0 in reply to SBE

    Hi,

    if you review logviewer firewall log you should see the source and destination of your traffic. What DNS are you using on the XG andd your clients?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi, the DNS for my XG is set to the pi-hole located on the same LAN. The pi-hole is DHCP server for all my LAN clients (to get hostnames in my pi-hole logs) also with the DNS set to the pi-hole.

    I gave a look at my firewall log and noticed a strange behavior. My APX320 AP's (connected to LAN network) generate denied traffic to the LAN IP of the firewall to port 417 ?? The AP's are connected on the same LAN then the Firewall , so that should not happen, should it !

    Many Thanks

Unfiltered HTML