This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • The issue is under review of Sophos Labs. 

    __________________________________________________________________________________________________________________

  • As per my post above https://community.sophos.com/sophos-xg-firewall/f/discussions/129054/any-experience-with-an-excessive-number-of-thundervpn-hits/479924#479924 (I'm posting on the end of this thread to keep it visible as recent) we have now disabled the Let's Encrypt's Certify The Web apps service on both the web servers that it was installed on, and there have been no further logs of Thunder VPN since. 
    I am very much hoping this is simple a false positive and that it's not some exploited vulnerability in the cert renewal app/service, we have to renew our certs manually anyway (afaik this can't integrate with XG to automate the process) so until further notice, offending services will remain disabled and our issue is resolved. I will be interested to see whether others are not CertifyTheWeb users still get this appearing in their logs....

    [EDIT] coincidentally, it seems, there was a pattern update (IPS and Application signatures: 18.18.61 21:12:10, Oct 12 2021) the same day I disabled the suspected service so what are the chances the fix came at the same time we disabled the suspected service?? Re-enabling the service to confirm!

  • I re-enabled my ips and application classification earlier today to see if the new pattern has any affect.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I received 18.18.61 yesterday, and removed my "Allow Thunder VPN" app rule and the App exclusion log file immediately started filling up with the blocks.   It did not seem to make a substantive difference.  Anyone else have luck?

Reply Children
No Data