Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 3 answers
  • Subscribers 34 subscribers
  • Views 12506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS blocking even if FW rule says to not

Speatech

Hi,

Firmware : SFOS 17.1.3 MR-3

Sophos support are not able to solve issues related to signature 15 (Potentially bad traffic). We are having issues with an Amazon service and Crashplan presently. Not sure if related to Pattern update or recent firmware upgrade.

As an example: 

Crashplan is used to back up a server files to the cloud and IPS is blocking it. So I created a rule (LAN,ANY­­>>WAN,*.crashplan.com) and I set all protections (Scan HTTP, IPS, Web Policy) to "none". The log shows that traffic to this web site go through this new rule but IPS is still blocking it.

Am I the only one having issue?

Tks



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to l0rdraiden

    Hi  

    This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

    These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

    Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,

Children