Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.
There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.
I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?
Thanks as always for suggestions,
I have found this community-entry:
Please take a look at this KB article.Email Catchrate issue on UTM 9.706 (sophos.com)The issue seems to be limited…
Hi anybody!After 8 hours of testing with the ssse3 enabled cpu, the update only need 0,7 GB traffic in this 8 hours.For me the traffic-problem is solved!
Yes, I just got an email from Sophos support confirming this to be our issue. Makes sense as our UTM is running on an old 2002 HP Server box. It spent 10 years as a server, and nearly another 10 as a firewall.
Guess we'll have to move it to something newer...
Thank you everyone for your contributions,
Can confirm this appears to be the issue.
Having the UTM run on a HP Proliant Microserver with an N54L CPU that doesn't support SSSE3 extensions is the problem...although it would have been nice to have a workaround other than turning updates to manual.
I also checked on a PC with a newer CPU and yes, the issue is not seen...