Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.
There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.
I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?
Thanks as always for suggestions,
I have found this community-entry:
Please take a look at this KB article.Email Catchrate issue on UTM 9.706 (sophos.com)The issue seems to be limited…
I found this, it may help: https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/29103/up2date-generates-a-lot-of-traffic
UTM - 9.707 | Intel i3-4150 4th Gen Processor 16GB Memory | 500GB SATA HDD | GB Ethernet x5
Thanks for the quick reply. I actually had seen that, but there's nothing there that twigs an Aha! moment.
Except that it makes me recall -- I've been using UTM since the V7 days -- where one could manually set the Up2Date URLs, but I can't seem to find that page anymore. Is it gone?
There's nothing in the GUI that you can do with that, but you might be able to do that via SSH. I don't know the procedure for it if it does exist. You can also go do download.astaro.com and grab the latest Up2Date files from there.
I’ve checked the source and it’s two different Akamai servers. Unfortunately that could be any number of things.