Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 55 subscribers
  • Views 14042 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    I can’t create a case but can provide access to my XG.

    All my Apple devices generate the traffic. I will need to check the w10 to see if does as well.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Another piece of information, based on the Reports sections:

    Risk: 5
Category: Proxy and Tunnel
Application/proto:port: Thunder VPN
Destination: 144.195.32.47      240 MB
             198.251.234.113    69 MB
             144.195.7.7        9 MB
             144.195.59.144     120 MB
             147.124.123.171    66 MB

    Those addresses all seem to belong to Zoom:

    144.195.32.0/24
AS30103 Zoom Video Communications, Inc

  • 0 in reply to Arie

    I am using Zoom on a daily basis but only saw those Thunder VPN entries once (22.07). 

    If i join a new meeting, it never gets classified in this category (anymore). Also those are odd time stamps for a zoom meeting (15:53, 11:08, 19:55, 21:09.). 

    Most likely i join a meeting on time or 1-2 minutes earlier. 

    It is always NTP Port 123 to Zoom. And i am not sure, when this traffic will be generated. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Even if I use chrony on Linux, it is classified as Thunder VPN.

  • 0 in reply to LuCar Toni

    Just like the others I see a lot of udp/123/ntp traffic being dropped as 'Thunder VPN', which started right after the upgrade from 18.5 to 18.5 MR1. Especially non-windows machines seem to be unable to sync time since the upgrade (Linux, iot and ios devices). Windows devices also generate 'Thunder VPN', but for some reason are able to sync their time otherwise.

    Example of ntp sync on a linux machine:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:19:35 ntpdate[16281]: no server suitable for synchronization found

    When I disable application filtering ntp works properly:

    ash-4.4# ntpdate -u 94.198.159.10
    6 Aug 14:23:01 ntpdate[18766]: adjust time server 94.198.159.10 offset +0.002776 sec

  • 0 in reply to Danny den Hartog

    This seems not to be related to MR1 or anything, instead to the latest App control Pattern update. But still, i cannot reproduce this right now. None of my firewall seeing this... 

    Therefore please create a case to reflect this behavior. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I just tried, but unfortunately I was not able to register a support account (home user license). For me personally it's not a big issue, but I think it is something worth looking into for Sophos before GA.

    Regarding the relationship with MR1... FYI, when I run a 'Blocked user Apps' report I see the Thunder VPN issues ramping up on july 19th. This is exactly the day of the last reboot into this new firmware:

    grep -i "BOOT_IMAGE" /log/syslog.log

    May 29 17:27:03 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_0_5_586 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    May 29 17:27:03 (none) user.notice kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/18_0_5_586 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    Jul 19 19:17:26 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_5_1_318 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    Jul 19 19:17:26 (none) user.notice kernel: [ 0.000000] Kernel command line: BOOT_IMAGE=/18_5_1_318 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
    SFVH_SO01_SFOS 18.5.1 MR-1-Build318# 

  • 0 in reply to LuCar Toni

    Seen this with NTP requests from IoT Devices within my HomeLab.

    Running Version SFOS 18.5.1 MR-1-Build318

    Can't create a case (Home License) but are able to provide captured traffic ... or device access.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    If you could share conntrack, tcpdump and Logviewer/Report screenshot of this traffic, this would be good. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    logviewer of blocked  IP4 and IPv6

    Removed not required data to shorten the thread.

    Connection 

    IP4

    • Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML