Windows 11 HTTPS traffic to tse1.mm.bing.net seen in WatchGuard logs

drnetdrnet
in Firebox - Proxies

Hello,
I am analyzing some HTTPS traffic detected by a WatchGuard firewall from a few Windows 11 PCs.

In the logs I can see allowed connections to 150.171.27.10 and 150.171.28.10, with:

sni="tse1.mm.bing.net"
cn="*.mm.bing.net"
traffic identified as SSL/TLS

The traffic starts at the same time from multiple Windows 11 hosts on the LAN, so it looks more like a Windows system component than a manually installed application.

I would like to ask whether anyone has already seen this behavior and can confirm whether it is normally related to:

Windows 11 Widgets
Windows Search / Bing Search
Spotlight or other Microsoft services

Does anyone have direct experience with this kind of log in WatchGuard?
Have you identified with certainty which Windows process or feature generates these connections?

Thank you.Cris

Comments

  • Bruce_BriggsBruce_Briggs

    From a Google search - AI Overview:

    "se1.mm.bing.net is a legitimate subdomain owned by Microsoft, primarily used for hosting and serving image thumbnails (thumbnails search engine, or "tse") for the Bing search engine."

  • drnetdrnet

    Hi Bruce, thanks for the information. I had already seen that as well, but the reason I am writing is that I only have 2 PCs behind a T40 and the firewall load is reaching 100%.

    I noticed that if I disable DPI and then enable it again, the load goes back to normal values. So at first I thought this traffic might be the cause, but actually I do not think that is the case. I now suspect there may be an issue with DPI or with the inspection process itself.

  • drnetdrnet

    Also for this reason, this is already the third firewall showing the same behavior, including my own T85.

  • Bruce_BriggsBruce_Briggs

    What Fireware versions are on your firewalls?
    I have DPI enabled on my T125 running 2026.2, and I do not have a load issue.

    Have you looked at your Process List, to see what component is causing the high load?

    Web UI - System Status > Processes
    Firebox System Manager -> Status report -> Process list section

  • drnetdrnet

    V12.12.B733447 latest, i will check

  • drnetdrnet

    Hi Bruce,
    after disabling and re-enabling Deep Inspection, the issue has not reappeared on any of my firewalls so far. We’ll monitor the situation moving forward.
    Thanks again, and best regards.

Sign In to comment.