Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 25912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable IPS for LAN->VPN traffic?

oxident

Hi!

Does anyone if I can completely disable IPS for LAN->VPN traffic? I'm running a network monitoring tool which pings a few dozens of hosts inside my LAN and the XG somehow identifies this a network attack / intrusion, resulting in about 1000 "reconnaissance" and related ICMP attacks a day.

If I take a look at the statistics, it clearly states that the "attackers" as well as the "victims" are either LAN->VPN or VPN->LAN.

My firewall rules for this kind of traffic (LAN->VPN, VPN->LAN and even VPN<->VPN) don't use any intrusion prevention template...

Thanks for any help!



This thread was automatically locked due to age.
Parents
  • 0

    I suspect you are running not into an IPS template in the sense that you have not attached a policy to the rule, however the IPS Engine is used to monitor for DoS Attacks.

    There are a few options here but your main options are

    - adjust the ICMP/ICMPv6 Flood detection settings so that your network monitoring tool does not trip the DoS Protection

    - it might be you are not hitting the rate monitoring but being caught out by one of the other DoS Protection features such as Disable ICMP/ICMPv6 Redirect Packet or Dropped Source Routed Packets

    - you also have the option of creating a DoS Bypass Rule for your network monitoring tool

    These settings can be found under System > System Services > DoS & Spoof Protection

    Check the Log Files to see if they give you more information about the events.

  • 0 in reply to Leon.Friend

    Hello Leon,

    thanks for your suggestions. I've decided it should be the easiest to create DoS Bypass Rules for the network directly behind the XG as well as for the two networks which are connected to my XG using an IPsec-VPN.

    Unfortunately, the effect remains the same: I'm still getting about 15k ICMP PING and 15k ICMP Echo Reply "attacks", equally originating from a webserver behind the XG (private IP) and the VMware ESXi server where the XG is running on (public IP)...

    Is there anything else I can try out?

    Updating to MR2 didn't solve this problem...

  • 0 in reply to oxident

    Were you able to get this resolved? We are experiencing a very similar issue, and it appears as though the bypass rules do not affect anything. We have all IPS configured to disabled, and extreme flood numbers, yet ICMP is still being caught as DoS.

Reply Children