Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



Typos
[edited by: ARandomHerdFan at 8:17 PM (GMT -7) on 20 Jul 2021]
  • Hi,

    the last time I was able to investigate the issue I determined the XG was wrongly categorising Apple connections. My daily report shows thunderVPN but I am not able to find any entries in the logviewer reports so further investigation is required at my end.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • While the thunderVPN shows up in the mail reports and in the reports generated from the GUI reports tab, it does not show in logviewer.

    All my Apple devices show using the thunderVPN to talk to Apple servers in various counties. The application is also categorised as Proxy and Tunnel - client server. The reports show low traffic and hits less that 60 per device.

    What it communicating with  have no idea let alone why?

    Ian

    A bit more poking shows it is talking to NTP servers which is strange because I have all NTP traffic pointing at my internal NTP server. Time to re-arrange firewall rules order.

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Yes, i am experiencing a large amount of Thunder VPN hits as well. See this image from today 8.55 AM (CET)

    In my case it are all IoT devices, Ubiqiti AP's and so on. All trying to connect to NTP servers.

    Strange thing was that yesterday my Lets encrypt SSL certification tool (Certify the Web) started to complain about not being able to connect to the time.windows.com server....

    Something strange is going on. 

     
    SFVH (SFOS 18.5.1 MR-1-Build326) - Last (re)boot on september 19th 2021
    Asus H410i-plus - Pentium 6605 Gold - 128GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • checking our machine for Thunder VPN I do not see anything in Application Filter log but only in firewall.

    Having only one device in the reports. A Samsung Galaxy Android in the guest networks.

    UDP Traffic Port 500 and 4500 used.

  • Nothing shows in the logviewer, only in daily reports and GUI reports tab. I have traffic for 500 and 4500 because it is used by wifi calling and only through a specific firewall rule to a specific destination.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • There is another one and that is manual proxy surfing which is talking to NTP servers.

    Ip4 the XG reports as ThundervPN and IPv6 reports it manual proxy surfing.

    I think the two different reports indicate that there is a classification error in XG which needs to be addressed.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • NTP is identified as Thunder VPN in my environment too.

  • Same here - but only on my corporate devices (iPhone and Win10 laptop). A couple of hundred megabytes, so unlikely to be NTP.

    The devices definitely use a VPN, but I highly doubt they're actually using ThunderVPN. Misclassified? 

  • The same since couple days... In my case, TP-link AP generates this traffic.

  • Can somebody please create a Support case and attach a tcpdump of this traffic? 

    I cannot reproduce this on any installation, so i assume it is a certain type of device/client causing this traffic to be false positive. 

    __________________________________________________________________________________________________________________