https://community.sophos.com/sophos-xg-firewall/f/discussions/125609/xg-550-performance-slow-high-sessions-amountWe have an XG 550 rev. 2 configured with 2 different internet connections and a 10 gig fiber card for the LAN port. We have been experiencing DDOS attacks which we have an external service mitigating. What we have found is that at certain times duringen-USTelligent Community 12https://community.sophos.com/thread/459230?ContentTypeID=1Thu, 28 Jan 2021 20:16:30 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:7b556ee4-71cf-4ce3-af47-e849bd46b64bBeEf<p>Maybe DDoS mitigation is not working and the attack is coming from the other side ...</p> [quote userid="85479" url="~/xg-firewall/f/discussions/125609/xg-550-performance-slow-high-sessions-amount/459221#459221"]2) Set up a mirror port and try to find out whats actually happening.[/quote]<div style="clear:both;"></div>https://community.sophos.com/thread/459226?ContentTypeID=1Thu, 28 Jan 2021 19:56:59 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:3a02cada-c4ff-4741-89b4-c1d75672b20aJosh Rogalski<p>We have 2 totally separate ISP&#39;s that go into the XG 550 (with SD-Wan policy routes balancing traffic).&nbsp; One has DDOS mitigation at the ISP level, and one doesn&#39;t have it (being replaced later this year).&nbsp; When we get attacked we have at times disconnected the 2nd line that doesn&#39;t have DDOS protection on it.&nbsp; It stops the attack from that unprotected line, but it feels like the appliance raises it&#39;s sessions and memory just because that second line is disconnected. </p><div style="clear:both;"></div>https://community.sophos.com/thread/459221?ContentTypeID=1Thu, 28 Jan 2021 19:38:06 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:a21c5c34-a485-4ad1-a5be-2b43700727c9BeEf<p>1.8 Million is definitely too high.<br /><br />Could be some attack that is &quot;consuming&quot; sessions. Or maybe some packets with randomizes source addresses going against a service you are providing (e.g. Webserver, DNS, ...)<br /><br />1) Check the rules WAN -&gt; LAN and whether IDS is switched on.<br /><br />2) Set up a mirror port and try to find out whats actually happening.<br /><br /><br /><br />I did not completely understand what you are doing with your two internet lines though ....<br /><br />(From our experience it is not possible to defend a DDoS attack on the device itself. So mitigating at the ISP is the way you need to do this. However be prepared that the second line could also be attacked (we noticed wandering of the attack depending on the provider ...).</p><div style="clear:both;"></div>https://community.sophos.com/thread/459195?ContentTypeID=1Thu, 28 Jan 2021 16:43:29 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:40000fbf-d098-4ebc-a2be-a92f9464bfb5LuCar Toni<p>Sessions are basically conntrack table entries. Seems like some system is overload your system with sessions. You should get some expertise inhouse to find the Rootcause of this attacked.&nbsp;</p> <p>It could be a attack or a network issue with loops.&nbsp;</p> <p></p> <p>Maybe try the following:&nbsp;</p> <p>Conntrack is resonsible for the sessions in XG firewall.&nbsp;</p> <p>You can check which kind of connections is filling up this but you need Linux CLI knowledge to do so:&nbsp;</p> <p>conntrack -L will list all current session (Basically 1.8M entries).&nbsp;</p> <p>You can Pipe them up and start grap. conntrack -L | grep NEW | wc -l&nbsp; &nbsp; &nbsp; Will list basically all new Sessions current seens and count them.&nbsp;</p> <p><a href="https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html">https://www.linuxtopia.org/Linux_Firewall_iptables/x1347.html</a></p><div style="clear:both;"></div>