Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall transparent data collection to Sophos?

I have a very disturbing finding with my use of this new firewall software I wish to get some answers or thoughts to the matter. First off my background involves WAN and LAN administration security for ISPs as well as my one Digital Solutions Business. I have some experience with networking lets put it that way. I recently found that my bandwidth utilization was gong very high in fact starting from when I first installed this new software on my 1U appliance. I know a few things that did not add up in my investigation that raised alarms in my mind. 1. Sophos XG free home UTM that is installed on my 1U does not show in the reports anything unusual from my normal internet usage. Reports are accurate as far as I could tell that is. Now after disconnecting all my devices including wireless appliances from my network, it would still report in the system that everything was "normal" according to the reports.

Now hear is where it gets interesting..

My ISP has a bandwidth monitor that emails me when I'm getting close to my usage for the month. In December 2015 near the end of the month I went over my 300Gb limit to a whooping 800Gb in just 4 days!! my normal daily amount is on average 10Gb you do the math. I called into my ISP to alert them of my findings and placed my account on an unlimited plan for the time being. They did not charge me for the over usage thankfully but this is still a problem unresolved.

Facts:

1. I disconnected the ISP to cable modem to the WAN on the 1U Sophos XG appliance result = data communication halted/stopped based on ISP bandwidth web usage report. (as expected).

2. I disconnected the LAN network cable from the Sophos appliance which connects to my switches, wifi etc. but left the Modem connected to the WAN port on Sophos appliance result = data communication started/resumed on ISP web usage report. (to eliminate possibility of network clients/devices from being a cause of data draw).

The Sophos appliance is doing something even though both situations the reports show as if no unusual activity is happening yet at the same time the reports also do not show the 800Gb data usage anywhere. Yet there is this one main fact. I have 98% CPU resources occurring without a break in Sophos even when I'm not even using the internet! This is what leads me to believe something in the background is masking this data collection/hiding from the reporting side of Sophos but is caught from the ISP reports.

Someone please explain this to me.  Before this because something bigger then it should be.

To me it would appear as though there is some data collection going on here that is being sent back secretively to Sophos for statistical or other mining uses. Or there is some exploit in the software? 

Whats up? explanations please.



This thread was automatically locked due to age.