Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 34 subscribers
  • Views 12504 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS blocking even if FW rule says to not

Speatech

Hi,

Firmware : SFOS 17.1.3 MR-3

Sophos support are not able to solve issues related to signature 15 (Potentially bad traffic). We are having issues with an Amazon service and Crashplan presently. Not sure if related to Pattern update or recent firmware upgrade.

As an example: 

Crashplan is used to back up a server files to the cloud and IPS is blocking it. So I created a rule (LAN,ANY­­>>WAN,*.crashplan.com) and I set all protections (Scan HTTP, IPS, Web Policy) to "none". The log shows that traffic to this web site go through this new rule but IPS is still blocking it.

Am I the only one having issue?

Tks



This thread was automatically locked due to age.
  • 0

    Hi Speatech,

     

    I have had the same issue with MULTIPLE clients and the XG firewall now on 17.1.3 MR-3. I have had to call Sophos Support multiple times and each time it was this IPS Signature 15 error. They are calling it an "anomaly" detection.  The issue is I have not heard anything from Sophos regarding a patch for this, even though Support is calling it a "known bug".

    Would love to hear from Sophos. 

  • 0 in reply to Riccardo Amenta

    Can you share some insight of this? Logviewer screenshots etc? 

    Would like to see this. 

  • 0

    Hi  

    Apologies for this inconvenience,

    Does your log viewer look like this?

    Please also PM me with your support case ID as I am following up with our team regarding this.

    [Update] This is being investigated under the issue ID: NC-39687. We will be publishing more information shortly, please stay tuned.

    Regards,

  • 0 in reply to Speatech

    Hello, I have seen the same error on some firewalls after the update to 17.1.3. Tips like adjusting the TCP / UDP timeout did not help.

     

    My current workaround is, if you do not use an IPS policy, create one which allows the packets as a measure name and add them to the firewall rules.

     

    At least I have the error no longer, my log is clean and SFM shows no more critical IPS status to 8 appliance.

     

    Hope it helps others too until the fix comes

     

    EDIT: 

    So because I still get the message "reset outside window" on some appliances despite the IPS rules, I compared these with those who no longer receive this message.

    Here I noticed the entry "var DETECT_ANOMALIES" under ips_conf in the CLI.

    As already written in another thread I deactivated this one and it was good. Since that is rest

  • +1 in reply to Pascal G

    Tks for the tips Pascal

     

    We have created a policy to allow these packets but we are not thrill by this. We are in need to secure our network thoroughly and we are doing the opposite by doing that. It is not the first time that are using a workaround to cover an IPS issue and we starting to have ??? about Sophos IPS.

    Lets hope they correct the issue soon.

  • +1 in reply to FloSupport

     

    Please take a look at this KBA which has been published for this issue.

    If you have attempted the instructions outlined in this KBA, please send me a PM with your results.

    Regards,

  • 0 in reply to FloSupport

    hehe. So what I had already found out on Sunday. My pleasure ;). Just fun

  • 0 in reply to FloSupport

    What is the impact of disabling this? worst security? what are we really disabling? is this a workaround of a known bug?

  • 0 in reply to l0rdraiden

    Hi  

    This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

    These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

    Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,