Firewall log is filling up with multicast connections

Hello,

First time on the forum for me, so please excuse if I am missing out on some crucial information that you need in order to help.

I have an sg 115W running as a Firewall for a small buissines.
FW Version: 9.705-3

My Firewall log is filling up rapidly with entries on various multicast adresses. Mostly 224.0.0.251 and 224.0.0.252. I they all get filtered out by fwrule "600002".

Since this is happening, e-mail sending and recieving does not work. We are using local mail clients (Thunderbird) to access a mail server outside of the local network via IMAP.

Can anyone help?

  • Not sure if the two are related, as far as I know IMAP doesn't need multicast connections to work.

    Usually multicast traffic can be discarded, it's used for mDNS (224.0.0.251) and also Bonjour to communicate/find devices in the network. 

    As for the email problem, do you also see IMAP traffic in the firewall (port 143 if normal IMAP or 993 if encrypted IMAP)?


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • Thanks for your answer. I am not sure as well if they are connected. But IMAP traffic is not filtered by the FW. Also IMAP sometimes works, but not always. This leads me to think that the IMAP calls dont get filtered but simply time-out. I would guess that this could be beacause the firewall is busy and it takes too long to handle the IMAP packages. However, other protocolls, like RDP and HTTP work with no problem at all.

  • IMAP traffic should normally also travel the firewall at least if your clients are inside the network and IMAP is outside.

    You may however not have logging enabled on this traffic and therefor you don't see it in the firewall. Maybe you can check in the firewall rules in the allow rule (for either IMAP or maybe you allow any) to the outside if logging is enabled.

    Then you should at least be able to see IMAP traffic in the firewall log.


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • I see IMAP traffic in the log. It is being passed by the rule for E-Mail traffic. So this seems to be working as it should. I have raised the timeout for the E-Mail server in my e-mail client and now E-Mail works as it should. however the connection is super slow.

  • Hallo Swen and welcome to the UTM Community!

    First, do #1 in Rulz (last updated 2020-11-12).  That may point you to the solution to your problem.  If you're still seeing slowness, work through #7.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA