Hello All,
We have a Sophos XGS connected to a metered WAN connection, in order for devices to connect to the internet the user must authenticate to the Sophos captive portal and at which point a weekly data transfer quota is applied. This has been working great since we deployed the firewalls.
However recently, I believe since upgrading to FW 20.0.2 MR-2-Build378 we are seeing GBs of traffic falling under the user "Unidentified" in the on device reports. When I look at the firewall reports in more detail the destination IPs with the most logged traffic belong to Microsoft and Apple which makes me think its standard software update traffic.
Two questions:
How is this traffic passing through the firewall without an authenticated session?
The Sophos reports also show this application traffic classified as "unclassified" , I would expect to see a classification of something like "Software Update" (which we block). I can't see a way to also block applications in the "unclassified" category.
Regards,
Gary.
