Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 55 subscribers
  • Views 14180 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • 0

    Can somebody please create a Support case and attach a tcpdump of this traffic? 

    I cannot reproduce this on any installation, so i assume it is a certain type of device/client causing this traffic to be false positive. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Just like the others I see a lot of udp/123/ntp traffic being dropped as 'Thunder VPN', which started right after the upgrade from 18.5 to 18.5 MR1. Especially non-windows machines seem to be unable to sync time since the upgrade (Linux, iot and ios devices). Windows devices also generate 'Thunder VPN', but for some reason are able to sync their time otherwise.

    Example of ntp sync on a linux machine:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:19:35 ntpdate[16281]: no server suitable for synchronization found

    When I disable application filtering ntp works properly:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:23:01 ntpdate[18766]: adjust time server 94.198.159.10 offset +0.002776 sec

Reply
  • 0 in reply to LuCar Toni

    Just like the others I see a lot of udp/123/ntp traffic being dropped as 'Thunder VPN', which started right after the upgrade from 18.5 to 18.5 MR1. Especially non-windows machines seem to be unable to sync time since the upgrade (Linux, iot and ios devices). Windows devices also generate 'Thunder VPN', but for some reason are able to sync their time otherwise.

    Example of ntp sync on a linux machine:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:19:35 ntpdate[16281]: no server suitable for synchronization found

    When I disable application filtering ntp works properly:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:23:01 ntpdate[18766]: adjust time server 94.198.159.10 offset +0.002776 sec

Children
  • 0 in reply to Danny den Hartog

    This seems not to be related to MR1 or anything, instead to the latest App control Pattern update. But still, i cannot reproduce this right now. None of my firewall seeing this... 

    Therefore please create a case to reflect this behavior. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just tried, but unfortunately I was not able to register a support account (home user license). For me personally it's not a big issue, but I think it is something worth looking into for Sophos before GA.

    Regarding the relationship with MR1... FYI, when I run a 'Blocked user Apps' report I see the Thunder VPN issues ramping up on july 19th. This is exactly the day of the last reboot into this new firmware:

    grep -i "BOOT_IMAGE" /log/syslog.log

    May 29 17:27:03 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_0_5_586 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    May 29 17:27:03 (none) user.notice kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/18_0_5_586 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    Jul 19 19:17:26 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_5_1_318 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    Jul 19 19:17:26 (none) user.notice kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/18_5_1_318 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    SFVH_SO01_SFOS 18.5.1 MR-1-Build318# 

Unfiltered HTML