Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 30 replies
  • Subscribers 31 subscribers
  • Views 4575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Intrusion prevention working on XG Home?

michel handle-it

I am using Sophos XG SFOS 17.5.12 MR-12 on a esxi (Nuc in homelab) and have enabled an intrusion prevention policy on the network rule (LanToWan_strict).

After two weeks running not a single intrusion event is mentioned, not in the reports nor in the ips.log.

This leaved me to think the intrusion prevention is not working at all, because if I let the clients go by my Synology RT1900AC router, multiple events in Thread Prevention (surricata based) are logged every day.

I have tried everything to get an intrusion event, and also tried different virtual networkadapters (VMXNet3 and NE1000), but nothing seems to change. Also if done extensive searching on the internet but no resolution found.

Is Intrusion prevention even working on XG Home?



This thread was automatically locked due to age.
Parents
  • 0

    It is working, the difference here is, the suricata ruleset such as ET pro is different from XG.

    You can test your XG IPS with CVE-2020-0601. Here: https :// curveballtest[.]com

     

    Thanks!

  • 0 in reply to Prism

    Hi,

    the test Prism mentioned doesn’t work on my XG too, but this is because the certificate is invalid and blocked before the connection is established.

    Could you check your TLS logs as well?

    Besides that: I‘m having 1-2 IPS alerts per year coming from WAN. However my NAS with smb shares is creating some false positives.

    Best Regards

    Dom

  • 0 in reply to Dom Nik

    Hi dom,

    I have unchecked block on invalide certificaten, and then the connection goes through, however no ips event is logged

  • 0 in reply to michel handle-it

    I added a TLS cert check exception for that domain and now it works. The website itself loads completely and displays that you are not vulnerable, so no blocking of the website by the XG occurs as you might expect.

    Therefore one idea from my side: Maybe your logging (and mail alerting) for IPS is disabled? (System Services --> Log Settings --> 2 checkboxes for IPS)

Reply
  • 0 in reply to michel handle-it

    I added a TLS cert check exception for that domain and now it works. The website itself loads completely and displays that you are not vulnerable, so no blocking of the website by the XG occurs as you might expect.

    Therefore one idea from my side: Maybe your logging (and mail alerting) for IPS is disabled? (System Services --> Log Settings --> 2 checkboxes for IPS)

Children