Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 35 replies
  • Answers 1 answer
  • Subscribers 35 subscribers
  • Views 35790 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Blocking legit traffic speedtest.net / IPS impacting performance even if IPS is not enable in the rule

l0rdraiden

I get thousands of this alerts every time I use https://www.speedtest.net/

 

"Data sent on stream after TCP Reset received"

Does it make sense? how can I disable it or fix the issue?
The IP belongs to the service
 
It's a bug?


This thread was automatically locked due to age.
Parents
  • 0

    I gave up on that site because without an open firewall rule I only received latency errors.

    It needs its own rule without http/s scanning because it cannot cope with s proxy.

    Ian

  • +1 in reply to rfcat_vk

    I have applied this solution

    https://community.sophos.com/kb/en-us/133096

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/108353/ips-blocking-even-if-fw-rule-says-to-not/398962#398962

     

    Now not only I dont get those alerts, I have full speed on upload 300Mbps with this setting enabled I got around 260 Mbps and thousands of alerts

  • 0 in reply to l0rdraiden

    I can't find any documentation regarding this command

    system application_classification on/off/show

    Can we get more information about it?

  • 0 in reply to SaschaParis

     Can I get additional information regarding this firewall feature that is not documented anywhere?

     

    system application_classification on/off/show

  • 0 in reply to LuCar Toni

    Ok, the mentioned microapp discovery is a different story. This is mainly used for further sub classifying "apps" within web applications as Facebook (chat, mail, post etc.)

    The  global application classification is for all apps, not only the http/https ones. I don't know why cloud apps are still recognized (if there's no app rule on place at all, policy set to "none", and not "allow all"). Maybe this is collected differently to normal app control. I didn't try it....

  • 0 in reply to SaschaParis

    Could you clarify this intenally? maybe is a bug or something not properly implemented.

  • 0 in reply to l0rdraiden

      

    Can someone tell me what this command do exactly?

  • 0 in reply to l0rdraiden

    Hi  

    • In 16.5 MR4 and later, the term microapp has been removed from the administrators UI, the CLI system application_classification microapp-discovery is defaulted to off. In previous releases the Application Filter contained an Enable Micro App Discovery and the system application_classification microapp-discovery was defaulted to on.
    • In 16.5 MR4 and later, applications using HTTPS (microapps) are detected based on the firewall's Decrypt & Scan HTTPS setting.
    • In 16.5 MR4 and later, the CLI system application_classification microapp-discovery is used for proof of concept. It forces all port 443 traffic to go through proxy with HTTPS scanning on regardless of Firewall Rule setting. It should be off for all normal production systems. 
    • Turning on microapp discovery will cause the problem described in this KB. 

    From: https://community.sophos.com/kb/en-us/125458

  • 0 in reply to SaschaParis

     

    Look at what said, global application classification is different from what you are proposing.

     

    Ok, the mentioned microapp discovery is a different story. This is mainly used for further sub classifying "apps" within web applications as Facebook (chat, mail, post etc.)

    The  global application classification is for all apps, not only the http/https ones. I don't know why cloud apps are still recognized (if there's no app rule on place at all, policy set to "none", and not "allow all"). Maybe this is collected differently to normal app control. I didn't try it....

     

     

  • +1 in reply to l0rdraiden
    The following is based on my understanding - and this is not my area of expertise.
     
    There are two concepts - monitoring and control.  There is also IPS, DoS, Advanced Threat Protection, and Applications.   All of these use snort.
    When you "turn off" all these features, you are turning off control.  You are turning off taking action.  You are not necessarily turning off monitoring.
    For example, with everything in the UI turned off, the you will still see reporting telling you there was Skype traffic, etc.  Because snort is still working, monitoring the data packets and reporting on it.
     
    As far as I know, in addition to turning off the features you can see in the UI, there is also a backend way of turning off the monitoring of applications.  I do know the...  order of precedence - in other words I don't know if turning this off supersedes the other configuration, or other impacts.  Unfortunately for "can someone tell me what this command does exactly" I don't have a precise answer, it is not my area.

    system application_classification on/off/show
     
     
    Now application control actually has multiple ways of identifying applications - one is using snort, another is using the web proxy, and another is using certain cloud mechanisms.  When the web proxy is used to determine applications in HTTPS that is called "microapp" which IMO is a stupid and confusing name - which is why we've eliminated it from the UI.   Microapp monitoring (note I say monitoring and not control) is tied to web proxy configuration and cannot be turned on or off independently of the web proxy configuration.  If the proxy can detect the application, it reports on it, there is no performance hit.  The web proxy also reports on the category of the website and the filetype of the downloads even if you have no policy based on categories or filetypes, just as it reports on applications.  The backend option "microapp-discovery" is a special proof of concept mode that forces certain things on, please leave it at the default off.  Cloud application monitoring (and maybe control, I don't know) is also done outside of snort.  The command (system application_classification on/off/show) is used by snort, it is not used by the web proxy, I don't know about other systems.
     
    I don't know if it helps but....  our snort does not decrypt SSL, such as within an HTTPS connection.  So any monitoring or control that involves decrypted traffic is not done within snort.  That is why when you get down to the implementationdetails microapps (web application) and cloud applications are slightly different from other applications.  There is a balance of giving admins all the implementation details versus simplifying for management.
     
    So if performance is more important than reporting, you could turn application_classification off.  Please note that this mode is very rarely used and therefore not as well understood/tested.  You will find fewer support people who know it.
     
    However I want to go back to the premise....  Does the speedtest actually mean anything useful.  Lets say that I buy a car that is advertised as being able to travel 200 km/h on the racetrack.  Now I take that car over to a private racetrack and I only get 180 km/h.  I find out that I can take out the back seat and get 200 km/h.  Should I remove the backseat?  No.  Because I don't drive on racetracks.  I drive on city streets, I'm limited to 120 km/h on the highway anyway.
     
    But we are not talking about cars here.  We are talking about computer networks.  In the real world how many times do you have a single client within your network downloading/uploading hundreds of MB/s?  You don't.  You have 20 clients or 200 clients downloading things at the same time and the aggregate of them all equals your total bandwidth.  There are choices that are made within the XG that work better when there are many clients and work worse when there is a single client.  Speedtest and other sites are great at single client tests, and they are absolutely a tool that you can look at and use.  But they are not the source of truth for whether your end users are going to have their speed or bandwidth affected by the XG.
    If you are running into a real world bandwidth problem, you have a choice.  Throw more hardware at it (upgrade to a bigger box) or have the software do less (turn off monitoring).  But I would only do those things if I have a real world bandwidth problem.  I wouldn't do that so I could score higher on a speedtest.
     
    Or to look at it another way - do you want to tune your XG to speedtest or to real world.  Speedtest can inform you about real world but it isn't the same thing.  Want to be faster?  Turn off antivirus and speedtest will give you better results.  What to run in the real world with antivirus off?  It depends on what you want your XG to do.
     
Reply
  • +1 in reply to l0rdraiden
    The following is based on my understanding - and this is not my area of expertise.
     
    There are two concepts - monitoring and control.  There is also IPS, DoS, Advanced Threat Protection, and Applications.   All of these use snort.
    When you "turn off" all these features, you are turning off control.  You are turning off taking action.  You are not necessarily turning off monitoring.
    For example, with everything in the UI turned off, the you will still see reporting telling you there was Skype traffic, etc.  Because snort is still working, monitoring the data packets and reporting on it.
     
    As far as I know, in addition to turning off the features you can see in the UI, there is also a backend way of turning off the monitoring of applications.  I do know the...  order of precedence - in other words I don't know if turning this off supersedes the other configuration, or other impacts.  Unfortunately for "can someone tell me what this command does exactly" I don't have a precise answer, it is not my area.

    system application_classification on/off/show
     
     
    Now application control actually has multiple ways of identifying applications - one is using snort, another is using the web proxy, and another is using certain cloud mechanisms.  When the web proxy is used to determine applications in HTTPS that is called "microapp" which IMO is a stupid and confusing name - which is why we've eliminated it from the UI.   Microapp monitoring (note I say monitoring and not control) is tied to web proxy configuration and cannot be turned on or off independently of the web proxy configuration.  If the proxy can detect the application, it reports on it, there is no performance hit.  The web proxy also reports on the category of the website and the filetype of the downloads even if you have no policy based on categories or filetypes, just as it reports on applications.  The backend option "microapp-discovery" is a special proof of concept mode that forces certain things on, please leave it at the default off.  Cloud application monitoring (and maybe control, I don't know) is also done outside of snort.  The command (system application_classification on/off/show) is used by snort, it is not used by the web proxy, I don't know about other systems.
     
    I don't know if it helps but....  our snort does not decrypt SSL, such as within an HTTPS connection.  So any monitoring or control that involves decrypted traffic is not done within snort.  That is why when you get down to the implementationdetails microapps (web application) and cloud applications are slightly different from other applications.  There is a balance of giving admins all the implementation details versus simplifying for management.
     
    So if performance is more important than reporting, you could turn application_classification off.  Please note that this mode is very rarely used and therefore not as well understood/tested.  You will find fewer support people who know it.
     
    However I want to go back to the premise....  Does the speedtest actually mean anything useful.  Lets say that I buy a car that is advertised as being able to travel 200 km/h on the racetrack.  Now I take that car over to a private racetrack and I only get 180 km/h.  I find out that I can take out the back seat and get 200 km/h.  Should I remove the backseat?  No.  Because I don't drive on racetracks.  I drive on city streets, I'm limited to 120 km/h on the highway anyway.
     
    But we are not talking about cars here.  We are talking about computer networks.  In the real world how many times do you have a single client within your network downloading/uploading hundreds of MB/s?  You don't.  You have 20 clients or 200 clients downloading things at the same time and the aggregate of them all equals your total bandwidth.  There are choices that are made within the XG that work better when there are many clients and work worse when there is a single client.  Speedtest and other sites are great at single client tests, and they are absolutely a tool that you can look at and use.  But they are not the source of truth for whether your end users are going to have their speed or bandwidth affected by the XG.
    If you are running into a real world bandwidth problem, you have a choice.  Throw more hardware at it (upgrade to a bigger box) or have the software do less (turn off monitoring).  But I would only do those things if I have a real world bandwidth problem.  I wouldn't do that so I could score higher on a speedtest.
     
    Or to look at it another way - do you want to tune your XG to speedtest or to real world.  Speedtest can inform you about real world but it isn't the same thing.  Want to be faster?  Turn off antivirus and speedtest will give you better results.  What to run in the real world with antivirus off?  It depends on what you want your XG to do.
     
Children
No Data