Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 34 subscribers
  • Views 12506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS blocking even if FW rule says to not

Speatech

Hi,

Firmware : SFOS 17.1.3 MR-3

Sophos support are not able to solve issues related to signature 15 (Potentially bad traffic). We are having issues with an Amazon service and Crashplan presently. Not sure if related to Pattern update or recent firmware upgrade.

As an example: 

Crashplan is used to back up a server files to the cloud and IPS is blocking it. So I created a rule (LAN,ANY­­>>WAN,*.crashplan.com) and I set all protections (Scan HTTP, IPS, Web Policy) to "none". The log shows that traffic to this web site go through this new rule but IPS is still blocking it.

Am I the only one having issue?

Tks



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Apologies for this inconvenience,

    Does your log viewer look like this?

    Please also PM me with your support case ID as I am following up with our team regarding this.

    [Update] This is being investigated under the issue ID: NC-39687. We will be publishing more information shortly, please stay tuned.

    Regards,

  • 0 in reply to Speatech

    Hello, I have seen the same error on some firewalls after the update to 17.1.3. Tips like adjusting the TCP / UDP timeout did not help.

     

    My current workaround is, if you do not use an IPS policy, create one which allows the packets as a measure name and add them to the firewall rules.

     

    At least I have the error no longer, my log is clean and SFM shows no more critical IPS status to 8 appliance.

     

    Hope it helps others too until the fix comes

     

    EDIT: 

    So because I still get the message "reset outside window" on some appliances despite the IPS rules, I compared these with those who no longer receive this message.

    Here I noticed the entry "var DETECT_ANOMALIES" under ips_conf in the CLI.

    As already written in another thread I deactivated this one and it was good. Since that is rest

  • +1 in reply to Pascal G

    Tks for the tips Pascal

     

    We have created a policy to allow these packets but we are not thrill by this. We are in need to secure our network thoroughly and we are doing the opposite by doing that. It is not the first time that are using a workaround to cover an IPS issue and we starting to have ??? about Sophos IPS.

    Lets hope they correct the issue soon.

Reply
  • +1 in reply to Pascal G

    Tks for the tips Pascal

     

    We have created a policy to allow these packets but we are not thrill by this. We are in need to secure our network thoroughly and we are doing the opposite by doing that. It is not the first time that are using a workaround to cover an IPS issue and we starting to have ??? about Sophos IPS.

    Lets hope they correct the issue soon.

Children
No Data