Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 19564 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall hacked?

StefanZimmer

Hi,

After starting quite successful with the XG Firewall I now have an issue which forced me to turn off the firewall completely. What happened? Since a few days (during holidays) the network traffic both inbound and outbound went to the maximum of my DSL link. In order to analyze I first removed one machine after the other from the network with no effect until I realized that the firewall itself seems to be the source of the issue.
Next I used the built in packet capture and it showed all the time incoming packets to the WAN interface of the firewall (with no forwarding to the LAN) to port 443 and then the same outbound again. The partner IP varied between several different ones like for instance 54.239.168.224.
I tried to apply policies to stop that traffic but it looks to me that I can only filter traffic between two interfaces. As the traffic is only to the device or from the device this did not help.
To further narrow down the problem I disabled the port 443 communication already in my DSL modem / router and the traffic immediately went to normal behaviour. But obviously this is no solution as I need the port 443 available for regular operations.

Is my firewall hacked? Does anybody else have similar issues? Do you have any idea how to bypass or do I need to keep the Sophos XG Firewall turned off for security reasons?

Any help is very welcome :-)

Stefan



This thread was automatically locked due to age.
  • 0

    Maybe it's a problem with updating the Avira virus pattern as described in thread 'Avira up2date error: Is there any solution?'

    https://community.sophos.com/products/xg-firewall/f/46/t/73626

    The IP address that you mention resolves to Amazon's Cloudfont from where the XG firewall tries to download these files.
    Did you check the Log viewer under 'View Log for Admin'?
    Best Regards.

  • 0 in reply to dempie
    Hi dempie,
    That sounds exactly like my issue. Thanks for pointing me to the other thread! I just need to refresh my memories on how to handle vi from +20 years ago... I am sure the web will help me with that later today.
  • 0 in reply to StefanZimmer
    Hi Stefan,
    if you are lucky you don't have to handle with vi. Please read the second page of that thread. Maybe it is sufficient to rename the pattern file as described there.

    Hope this helps.
    Best Regards.
  • 0 in reply to dempie
    Hi again, I booted up the XG again and the issue seemed to be worked around by other methods. So to come back to one earlier question: yes, the logfile is showing also the Avira update attempts like you expected.
    In the meantime those no longer start downloading and fail but just fail immediately every minute, i.e. at least they are no longer blocking the bandwidth.
    I would not call the issue solved as per discussion in the other thread as it is quite frightening that the device that I am mainly using for traffic shaping is wasting all my bandwidth and this cannot be configured but needs tweaking underneath the surface.
    Thanks again for your important hint!
  • 0
    I just posted a thread on this exact same issue I have that happened during the last 2 weeks of Dec. 2015. I was under the impression of to possibilities. 1. Your exact thought of being hacked or some exploit or 2. Sophos doing some sort of data mining in the background. I didn't bother going as far as you did with narrowing down the packets because of other priorities of mine but im very appreciative of you doing so! Thanks to you at least I have some kind of temp workaround. My post is "Sophos XG firewall transparent data mining to Sophos?" maybe these can be combined and hopefully we can have a sound solution to this problem soon.
  • 0 in reply to DavidRomain
    I just noticed more responses to this thread and I'm going to try it now..
Unfiltered HTML