This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
  • Hi,

    the last time I was able to investigate the issue I determined the XG was wrongly categorising Apple connections. My daily report shows thunderVPN but I am not able to find any entries in the logviewer reports so further investigation is required at my end.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • While the thunderVPN shows up in the mail reports and in the reports generated from the GUI reports tab, it does not show in logviewer.

    All my Apple devices show using the thunderVPN to talk to Apple servers in various counties. The application is also categorised as Proxy and Tunnel - client server. The reports show low traffic and hits less that 60 per device.

    What it communicating with  have no idea let alone why?

    Ian

    A bit more poking shows it is talking to NTP servers which is strange because I have all NTP traffic pointing at my internal NTP server. Time to re-arrange firewall rules order.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, i am experiencing a large amount of Thunder VPN hits as well. See this image from today 8.55 AM (CET)

    In my case it are all IoT devices, Ubiqiti AP's and so on. All trying to connect to NTP servers.

    Strange thing was that yesterday my Lets encrypt SSL certification tool (Certify the Web) started to complain about not being able to connect to the time.windows.com server....

    Something strange is going on. 

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • checking our machine for Thunder VPN I do not see anything in Application Filter log but only in firewall.

    Having only one device in the reports. A Samsung Galaxy Android in the guest networks.

    UDP Traffic Port 500 and 4500 used.

  • Nothing shows in the logviewer, only in daily reports and GUI reports tab. I have traffic for 500 and 4500 because it is used by wifi calling and only through a specific firewall rule to a specific destination.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • There is another one and that is manual proxy surfing which is talking to NTP servers.

    Ip4 the XG reports as ThundervPN and IPv6 reports it manual proxy surfing.

    I think the two different reports indicate that there is a classification error in XG which needs to be addressed.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • NTP is identified as Thunder VPN in my environment too.

  • Same here - but only on my corporate devices (iPhone and Win10 laptop). A couple of hundred megabytes, so unlikely to be NTP.

    The devices definitely use a VPN, but I highly doubt they're actually using ThunderVPN. Misclassified? 

  • The same since couple days... In my case, TP-link AP generates this traffic.

  • Can somebody please create a Support case and attach a tcpdump of this traffic? 

    I cannot reproduce this on any installation, so i assume it is a certain type of device/client causing this traffic to be false positive. 

    __________________________________________________________________________________________________________________