Sophos IPS still applies certain critical rules without policy assigned

I've heard that IPS is what implements DOS, as one example. It's not inconceivable that other features are implemented via IPS, including filtering traffic that is out of spec or internally dangerous to the firewall itself. Why make their own specialized code when they can use Snort which will be much more tested, featureful, and performant than custom code?

Seems reasonable to me.

I've heard that IPS is what implements DOS, as one example. It's not inconceivable that other features are implemented via IPS, including filtering traffic that is out of spec or internally dangerous to the firewall itself. Why make their own specialized code when they can use Snort which will be much more tested, featureful, and performant than custom code?

Seems reasonable to me.

Thanks for the response.  Perhaps I should have pressed the support person more to back up what they've said. I did press a bit and asked about if these were logged or documented anywhere.  He said not documented that he knew of, but they should be logged in the IPS log.

My question is - is that statement  true.  Perhaps support was referring to DDoS blocking or some other aspect of security.  Though he did specifically say critical signatures would just be attempted to be blocked.  When it comes to firewall behavior I really don't like this ambiguous answer.  Where can I go to configure this hidden behavior?  Nowhere I know of.  What it you needed to turn it off for some reason?  Not really easy to test since I would have to remove all IPS protections and see what comes into the logs still.

It doesn't bother me much... Then again I'm not supporting 200 people or anything, so I'll probably not hit edge cases where a hidden behavior is affecting only two users and my feet are being held to the fire.

Conceptually, I do prefer that Sophos use a well-known, robust tool like Snort for multiple features rather than rolling their own mini-Snorts for miscellaneous little tasks. I've not yet run into any issues where the answer was a hidden action. I wonder if the drop-packet-capture utility would let you see what's going on even in obscure cases. THAT CLI command should be much better documented.

At least some hidden behaviors may be hidden because it's very difficult to understand the ramifications of turning them on or off. So theoretically it'd be nice for there to be nothing hidden, I'm not as expert at the Life of a Packet and other dependencies that could subject the network or even the appliance to attack if I do something ill-advised.

It's fine if they use Snort, and yup drop-packet-capture and tcpdump are goto's when the logs fail to show whats going on.

I noticed along the right side this forum post in the suggested section this: https://community.sophos.com/sophos-xg-firewall/f/discussions/113899/ips-disabled-however-rules-still-seem-to-be-being-applied which to my surprise seems to talk about what I'm posting about here.  Though they refer to another forum post which is no longer present.  Seems like this behavior is indeed true or was true.  According to that post though, they may have changed this behavior over the course of system upgrades.  My setting for DETECT_ANOMALIES is set to "no".  I suppose then it will always follow whats in the IPS rules.

A little more digging and I found that they changed this setting to "no" in update 17.1 MR4.  I think that about does it for this post.  This XG cluster is critical to our security and I find its always better to try and understand these loose ends rather than be bit later by them :).