This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED Device itselfs high SMTP Traffic on Bandwidth Usage

Hi all,

 

i have some questions about RED Device reporting.

Our remote location are very small with one printer, VoIP tel., 2 PCs etc.

But since some weeks, i don't understand the reporting under Bandwidth Usage.

My Selection: Top Services by client > IP/network: "IP Adress RED Device (192.168.5.254)" > last 7 days

Top    Service    Protocol    IN        %        OUT        %        Total    %        Conn    %
1    SMTP    TCP            72.7 MB 99.95    3.0 GB    100.00    3.1 GB    100.00    4 534    93.08

What say that? This RED Device sends SMTP traffic 3.1 GB? Especially I have SMTP traffic block...

Thanks,
Ivo



This thread was automatically locked due to age.
Parents
  • Hi, Ivo, and welcome to the UTM Community!

    It's unlikely that the report is incorrect.  Please show a picture of the query and response on the 'Bandwidth Usage' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Ivo, and welcome to the UTM Community!

    It's unlikely that the report is incorrect.  Please show a picture of the query and response on the 'Bandwidth Usage' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi all,

    we have bind RED Device on local Device with IP 192.168.5.254. Now i See under Bandwidth Usage with Selector Service yesterday:

    What means this? RED Device communicate with SMTP to anyone?

    When i selected my IP Adresses in this network, no other IP adress generate SMTP traffic, only IP adress from RED Device.

    last 30 day:

    Ivo

  • Ivo, please show a picture of the Edit of the RED with the Unlock code and the UTM hostname obfuscated.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    here is:

    Thanks,

    Ivo

  • That's what I expected, Ivo - Standard/Unified (Vereint).  What do you see if you query for "Häufigste Dienste von" 192.168.5.0/24?  And what about SMTP for both Clients and Servers?

    There must be something behind the RED that's causing that traffic.  Maybe a printer that's continuously sending an email that it's low on ink?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    this is also what i think. But the RED Device is not in my working area. The customer on site say, there no other device. He turns all device like printers, fritz-box (for voip), PCs off. Still for weeks we see very highly SMTP traffic.

    So, i will try to configure the RED Device to anatoher Sophos SG. If i see also smtp traffic after moving, can the RED Device be faultly? the last change is we change this RED Device with another.

    Ivo

  • I would get Sophos Support involved before swapping out the RED.  I just can't imagine that it's possible to infect a RED to cause it to be sending that much traffic all by itself, but if they think it is, I'm sure they'll want to get it into their lab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • hi to all,

    quick update, our RED Device are ok. We checked the remote network and found an device with faulty configuration of local anti-virus scan engine.

    Thanks Bob for help.