Sophos XG high traffic on the BITS application

Symptom

The Windows and Office 2016 updates use the operating system BITS to download the updates.

The passage in the proxy of the firewall and the antivirus scan “prevents” the download and it runs in a loop saturating the tape..

You can see on the screenshot below the statistics on 12 hours with almost 80GB of download.
Statistiques internet

How you can see them also on the following screenshots made with PRTG on the monitoring of firewall interfaces, only the Wan interface (left) is impacted, the Lan interface (right) of the firewall records normal traffic. All download data do not go to the post on your network.
Port WAN port lan

Resolution

To solve this problem, you must add a proxy control exception to do a bypass on the antivirus scan

1. From the interface of your firewall, go to Web 1 > Exceptions 2 and click on the pencil 3 to edit the exception Microsoft Windows Update.
Sophos XG Web > Exceptions

2. Edit the exception by adding the following domains 1 and click on Save 2.
sophos xg exception windows update

officecdn.microsoft.com.edgekey.net
officecdn.microsoft.com.edgesuite.net
officecdn.microsoft.com

3. Enable the exception by moving the cursor to ON 1 if this is not already the case.
Activer exception

4. Wait a little while the rule applies and the data is sent to the post. How you can see on the catch below the traffic is back to normal 1.
Trafic de retour à la normale

For further

I take this article also to introduce another exception, which is that of url url deploy.static.akamaitechnologies.com. Microsoft also uses this service to offer updates.

1. From the exceptions page, click on the button .

2. Give a name 1, check the box URL template matches 2, enter the regex 3 below, check the boxes 4 to ignore the checks and click on Save 5.
Ajout exception

^([A-Za-z0-9.-]*\.)?deploy\.static\.akamaitechnologies\.com/

3. Your exception has been added 1, move the cursor to ON 2 to activate it.
Sophos XG exception ajoutée


How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

We are sorry that this post was not useful for you!

Let us improve this post!



Related Posts


Sophos XG: add a host
On the Sophos XG firewall, it is necessary in certain cases to declare the host so that it can be used in the firewall rules. 1. From the interface, go to Hosts and Services << 1 >>, IP Host Tab << 2 >> and click Add <<

Sophos XG: Web and application filtering
In this tutorial, we'll see how to put filtering on outgoing streams with a Sophos XG firewall. I will show you the two filter modules: Web: which is an internet proxy Application: level 7 filtering that allows to act the applications and actions ava

Sophos XG configure a DHCP relay
Présentation A DHCP relay is a service that listens for DHCPDISCOVER frames to transfer them to a DHCP server. The DHCP relay avoids installing a DHCP service by network segment (MPLS, VLAN ...). Before configuring the relay firewall, the DHCP servic

Leave a Comment