I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service. I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.
What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic. I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.
Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.
Thanks in advance for any information!
Confirmed latest pattern update 18.18.62 appears to have resolved the issue, "offending" services have need re-enabled and no further hits int the logs (possibly since the previous update on 12th Oct?)…
the last time I was able to investigate the issue I determined the XG was wrongly categorising Apple connections. My daily report shows thunderVPN but I am not able to find any entries in the logviewer reports so further investigation is required at my end.
While the thunderVPN shows up in the mail reports and in the reports generated from the GUI reports tab, it does not show in logviewer.
All my Apple devices show using the thunderVPN to talk to Apple servers in various counties. The application is also categorised as Proxy and Tunnel - client server. The reports show low traffic and hits less that 60 per device.
What it communicating with have no idea let alone why?
A bit more poking shows it is talking to NTP servers which is strange because I have all NTP traffic pointing at my internal NTP server. Time to re-arrange firewall rules order.
Yes, i am experiencing a large amount of Thunder VPN hits as well. See this image from today 8.55 AM (CET)
In my case it are all IoT devices, Ubiqiti AP's and so on. All trying to connect to NTP servers.
Strange thing was that yesterday my Lets encrypt SSL certification tool (Certify the Web) started to complain about not being able to connect to the time.windows.com server....
Something strange is going on.
checking our machine for Thunder VPN I do not see anything in Application Filter log but only in firewall.
Having only one device in the reports. A Samsung Galaxy Android in the guest networks.
UDP Traffic Port 500 and 4500 used.
Nothing shows in the logviewer, only in daily reports and GUI reports tab. I have traffic for 500 and 4500 because it is used by wifi calling and only through a specific firewall rule to a specific destination.
There is another one and that is manual proxy surfing which is talking to NTP servers.
Ip4 the XG reports as ThundervPN and IPv6 reports it manual proxy surfing.
I think the two different reports indicate that there is a classification error in XG which needs to be addressed.
NTP is identified as Thunder VPN in my environment too.
Same here - but only on my corporate devices (iPhone and Win10 laptop). A couple of hundred megabytes, so unlikely to be NTP.
The devices definitely use a VPN, but I highly doubt they're actually using ThunderVPN. Misclassified?
The same since couple days... In my case, TP-link AP generates this traffic.
Can somebody please create a Support case and attach a tcpdump of this traffic?
I cannot reproduce this on any installation, so i assume it is a certain type of device/client causing this traffic to be false positive.