This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Intrusion prevention working on XG Home?

I am using Sophos XG SFOS 17.5.12 MR-12 on a esxi (Nuc in homelab) and have enabled an intrusion prevention policy on the network rule (LanToWan_strict).

After two weeks running not a single intrusion event is mentioned, not in the reports nor in the ips.log.

This leaved me to think the intrusion prevention is not working at all, because if I let the clients go by my Synology RT1900AC router, multiple events in Thread Prevention (surricata based) are logged every day.

I have tried everything to get an intrusion event, and also tried different virtual networkadapters (VMXNet3 and NE1000), but nothing seems to change. Also if done extensive searching on the internet but no resolution found.

Is Intrusion prevention even working on XG Home?

This thread was automatically locked due to age.

Parents

0 Prism over 5 years ago

It is working, the difference here is, the suricata ruleset such as ET pro is different from XG.

You can test your XG IPS with CVE-2020-0601. Here: https :// curveballtest[.]com

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 michel handle-it over 5 years ago in reply to Prism

Hi Prism,

Thanks for your quick reply, I visited the website you mentioned, but still no single event is logged on XG. If I download the file mentioned it is detected by my local virusscanner on my client, but not by XG.
Cancel
Vote Up 0 Vote Down

Cancel
0 Prism over 5 years ago in reply to michel handle-it

Do you have IPS enabled on your rules in XG?

Show me the rule you created.

Here It's working, this is what It should appear in your IPS Logs.

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Prism over 5 years ago in reply to michel handle-it

Do you have IPS enabled on your rules in XG?

Show me the rule you created.

Here It's working, this is what It should appear in your IPS Logs.

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 michel handle-it over 5 years ago in reply to Prism
Cancel
Vote Up 0 Vote Down

Cancel
0 Prism over 5 years ago in reply to michel handle-it

Can you go to the log viewer and show the IPS section?

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 michel handle-it over 5 years ago in reply to Prism
Cancel
Vote Up 0 Vote Down

Cancel
0 Prism over 5 years ago in reply to michel handle-it

Is the IPS service even running?

Can you check two things:

1) Go to System Services (On the left bar.) And then on Services and see if IPS is running.

2) Also, Is that the correct rule? If you search "curveball" on the Web Filter Logs, does the " fw_rule_id" matches the one of the Rule you showed?

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 michel handle-it over 5 years ago in reply to Prism
Cancel
Vote Up 0 Vote Down

Cancel