This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Intrusion prevention working on XG Home?

I am using Sophos XG SFOS 17.5.12 MR-12 on a esxi (Nuc in homelab) and have enabled an intrusion prevention policy on the network rule (LanToWan_strict).

After two weeks running not a single intrusion event is mentioned, not in the reports nor in the ips.log.

This leaved me to think the intrusion prevention is not working at all, because if I let the clients go by my Synology RT1900AC router, multiple events in Thread Prevention (surricata based) are logged every day.

I have tried everything to get an intrusion event, and also tried different virtual networkadapters (VMXNet3 and NE1000), but nothing seems to change. Also if done extensive searching on the internet but no resolution found.

Is Intrusion prevention even working on XG Home?

This thread was automatically locked due to age.

Parents

0 Prism over 5 years ago

It is working, the difference here is, the suricata ruleset such as ET pro is different from XG.

You can test your XG IPS with CVE-2020-0601. Here: https :// curveballtest[.]com

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Prism

That site uses an expired CA. so fails SSL connections.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Prism over 5 years ago in reply to rfcat_vk

The certificate is just expired, you can just accept the error message on your browser and continue.

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Prism

Hi Prism,

just expired at the end of April 2020.

No option to continue because it is blocked by the XG, not the browser.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to rfcat_vk

You could create a custom IPS Pattern and load it.

Try to match something like ICMP and a IP and ping this IP, if IPS blocks this, it certainly is active.

https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/IpsCustomSignatureEdit.html

Be sure to add this IPS Signature to your IPS Rule.

Simply ping this IP and look at the IPS Log.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to LuCar Toni

Hi,

I know it works, just some of the reports are a little difficult to be sure that it works. Also I like to try some of the testing sites that people throwup just to make sure that various changes i have made are not having an adverse affect on firewall security.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Dom Nik over 5 years ago in reply to rfcat_vk

A little bit offtopic, but my XG does not show a error message like this. Instead Safari says „page cannot be displayed“. Is this a difference between IPS SSL inspection (my config) and web proxy mode?

Best Regards

Dom
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Dom Nik over 5 years ago in reply to rfcat_vk

A little bit offtopic, but my XG does not show a error message like this. Instead Safari says „page cannot be displayed“. Is this a difference between IPS SSL inspection (my config) and web proxy mode?

Best Regards

Dom
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Prism over 5 years ago in reply to Dom Nik

He's using v18 with the new DPI Engine, that message appears for him, because he is blocking expired certificates directly on XG.

You can do this with your own Decryption Profile.

Thanks!

If a post solves your question use the 'Verify Answer' button.

XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.
Cancel
Vote Up 0 Vote Down

Cancel
0 Dom Nik over 5 years ago in reply to Prism

Yes, I habe the same settings, too.

Strange...

Update:

The block action for the decryption profile must be „reject & notify“, mine was „reject“. Sorry for disturbing the main topic here.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Prism

Hi Prism,

I am using https decrypt and scan, not the DPI for general device internet access because you cannot block or review some functions with the DPI.

It is a function of the web -> general access settings to block invalid certificates.

Ian

XG115W - v19.5.1 mr-1 - Home

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel