Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 55 subscribers
  • Views 14187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Community!

    For the community members following and participating in this thread. 

    Would it be possible for you to share any Case ID you have created for this, and if you haven't please create one and provide the following or update the ticket with the following:

    1. Run IPS in debug mode (# service ips:debug -ds nosync) 
    2. # tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap 
    3. # conntrack -L | grep 123 
    4. Screenshot of the LogViewer showing the application being marked as ThunderVPN with the destination port
    5. Current IPS Pattern
    6. Firmware and Hardware model

    Note: Start pcap/log collection first and then recreate issue/logs and stop pcap/log

    I would like to make sure Labs has all the pcaps and conntrack entries with the service running in debug mode as they have requested this way.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi, my IPS/App signatures patterns updated this afternoon to 18.18.62.   I removed my temporary rule allowing Thunder VPN to pass.   Now it appears to be back to normal - I am no longer seeing Thunder VPN port 123 app blocks in my log.    Hope this helps and thanks!

Reply
  • 0 in reply to emmosophos

    Hi, my IPS/App signatures patterns updated this afternoon to 18.18.62.   I removed my temporary rule allowing Thunder VPN to pass.   Now it appears to be back to normal - I am no longer seeing Thunder VPN port 123 app blocks in my log.    Hope this helps and thanks!

Children
No Data
Unfiltered HTML