Sophos XG constantly querying Google domains, why?

I'm also seeing the below in the Sophos logs... Seems to coincide. Could XG be trying to use Google to do a look up for the IP's trying to connect? I can't imagine that being the case but it's all i can comeup with for now.

I've checked each IP listed and they're all linked to Cyren Inc/Commtouch.

Found another discussion regarding Commtouch\Cyren...

https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/101128/commtouch-ip-addresses-being-blocked-by-xg

There doesn't seem to be a conclusion or fix however.

If anyone can explain any of this it'd be greatly appreciated.

Best regards

TheBeardedOne

EDIT: These two issues aren't linked. After changing the DNS server on the Sophos to Google DNS the logs on the Pi-Hole stopped coming through, but the logs on the Sophos relating to Commtouch\Cyren continue to come through thick and fast.

Hi,

rule 0 is a default rule in the XG which collects things like you are seeing and other ports that cannot find a matching rule. In theory you can ignore them unless they make a large percentage of your bandwidth.

Ian

More likely this is caused by Invalid Traffic blocking.

https://community.sophos.com/kb/en-us/131754

Adjust the timeout and you should see less blocks. 

Thank you both for getting back to me.

So that probably explains the constant invalid traffic entries. I'll experiment with altering the timeout to see if it reduces the number of entries in the log.

All in all the Sophos XG VM is generating no more than approx 50Kbps of traffic per 2 hours which is insignificant. The issue is the saturated logs.

As for why XG is constanlty querying Google domains, any ideas?

Cheers

These are preconfigured fqdn hosts for Chromebook SSO. It will periodically do a lookup for them to populate the right IP addresses.

Thanks MasterRoshi,

Is there anyway to prevent it?

Thanks MasterRoshi,

Is there anyway to prevent it?

Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

Legendary! Didn't even know that was there...

Something to play aorund with.

Thanks again Roshi!

MasterRoshi said:

Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

Hi, I have a XG Firewall home with 3 APX320 WiFi AP's, one for each floor of my home.

I have that exact same problem than "TheBeardedOne".  I see in my pi-hole query list that every five minutes, my 3 APX320 query www.google.com within the same minute. I tried turning all WiFi devices off, so that none could be the source of the queries. I also tried deleting every single google FQDN host in the list. Unfortunately my APX320 access points still query "www.google.com" every 5 minutes.

I cannot figure out what's the exact source of these queries.

Any idea ?

Many thanks to the community!

Hi,

if you review logviewer firewall log you should see the source and destination of your traffic. What DNS are you using on the XG andd your clients?

Ian

Hi, the DNS for my XG is set to the pi-hole located on the same LAN. The pi-hole is DHCP server for all my LAN clients (to get hostnames in my pi-hole logs) also with the DNS set to the pi-hole.

I gave a look at my firewall log and noticed a strange behavior. My APX320 AP's (connected to LAN network) generate denied traffic to the LAN IP of the firewall to port 417 ?? The AP's are connected on the same LAN then the Firewall , so that should not happen, should it !

Many Thanks

Hi,

what are IP addresses of your external DNS?

What does the rule that is causing the traffic drop look like? Were your APX ever registered with Sophos wireless central?

Ian

Yes sorry, I forgot to mention that the external DNS set on my pi-hole, is openDNS.

The rule is "0" and mentions "appliance access" "denied" on LAN port from APX320 IP, src port 42523 to XG IP, dst port 417 UDP.

No, I don't use Sophos wireless central as I'm a home user. The AP's are registered on the XG.

Hi,

rule 0 is the default rule when the traffic cannot find a matching rule and is dropped.

I checked UDP 417 and the answer was not clear to me. I would check the configuration of the APX in the XG.

Ian

Hi,

I checked configuration of my APX320. Nothing weired. I also gave another look at my logs. Still these strange invalid traffic / denied access from my APs to the XG...

Nevertheless I noticed in my pi-hole logs, that my 3 APX320 (the P5200... devices) are doing the same amount of requests (656 in the screenshot) to Google every 5 minutes ! And it's not a device connected to them but the 3 APX320 itself !