Hi everyone,
we're using a single ESA C300V with round about 1100 users. Our network team detected a huge amount of traffic on the ESA's external Interface (from/to Internet) on Port 80 and on Layer 7 "web-browsing" and asked me what's going on there.
As our network guys told me:
- Within the last 30 days the firewall counter was 11.7 TB data but even they don't want to believe that's true ... (or rather a bug from the counter)
- All traffic seems to go to Akamai Technologies (don't 100% rely on that)
- There are two behaviors (as can be seen on the screenshots)
- A smaller sent from the IronPort, but round about 20x times of the sent bytes back of it (e.g. Sent 111 k, Receive 2.3 M / Sent 1.1 M Receive 21.9 M)
- A larger sent 10-40 M from the IronPort, receiveing >400M to 940 M
For doing some AV signature updates and such things, this requests are way to large. There was no firmware update done (which might be even larger than that receivings) and this is a regular behavior we can see for a long period of time. My guess, it could be the External Threat Feeds? I paused that to see some change but will take a while though.
Appreciate every idea, help and information and thanks in advance!
MAT
