This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

identify spikes in traffic, ssl/tls and sessions before outage

Hey,

this noon our entire network crashed for a couple of minutes.

All i can see in our sophos portal is, that the "Sessions" graphs at the Control center --> "SSL/TLS" and "Network" spiked unusually high shortly before this outage happened. (see screenshots)

My first guess was a DoS attack because in my opinion the behaviour seemed to fit, but sophos hasnt recognignized it as such (according to the intrusion prevention page).

Is there any way to furtther check these spikes? e.g. what kind of traffic it was, where it originated (country, ip adress whatever)?

Since we want to avoid outages at all costs, we need to check what caused it. It couldve been the issue of our provider as well, but we wanna include everything in our search of the source.

kind regards

This thread was automatically locked due to age.

Parents

0 Erick Jan over 1 year ago
Hi Maximillian,

Thank you for reaching out to Sophos Community.

In the Log viewer, check the Firewall and IPS sections around the time of the incident if there was a spike. There may be additional hints about the problematic source.

Also, you may want to check the following to troubleshoot the cause for future reference.

1.Check system graph on WEB UI
System graphs must cover the time of sudden reboot/crash, and "live graph" is preferred over "Today", preferred over "Last 48 hours"

2. Core Dump
ls -lh /var/cores

login through Putty or console
Advance Shell/CLI
Click 5. Device Management then Click 3.Advance Shell/CLI

3. Check %CPU and Service with highest utilization by typing

top
to exit click ctrl+c
https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/134787/sophos-firewall-understanding-top-and-atop-command-in-xg-utm

You may also raise a ticket to Sophos Support for further assistance via the link https://soph.so/SophosSupport
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Erick Jan over 1 year ago
Hi Maximillian,

Thank you for reaching out to Sophos Community.

In the Log viewer, check the Firewall and IPS sections around the time of the incident if there was a spike. There may be additional hints about the problematic source.

Also, you may want to check the following to troubleshoot the cause for future reference.

1.Check system graph on WEB UI
System graphs must cover the time of sudden reboot/crash, and "live graph" is preferred over "Today", preferred over "Last 48 hours"

2. Core Dump
ls -lh /var/cores

login through Putty or console
Advance Shell/CLI
Click 5. Device Management then Click 3.Advance Shell/CLI

3. Check %CPU and Service with highest utilization by typing

top
to exit click ctrl+c
https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/134787/sophos-firewall-understanding-top-and-atop-command-in-xg-utm

You may also raise a ticket to Sophos Support for further assistance via the link https://soph.so/SophosSupport
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data