How to disable IPS for LAN->VPN traffic?

I suspect you are running not into an IPS template in the sense that you have not attached a policy to the rule, however the IPS Engine is used to monitor for DoS Attacks.

There are a few options here but your main options are

- adjust the ICMP/ICMPv6 Flood detection settings so that your network monitoring tool does not trip the DoS Protection

- it might be you are not hitting the rate monitoring but being caught out by one of the other DoS Protection features such as Disable ICMP/ICMPv6 Redirect Packet or Dropped Source Routed Packets

- you also have the option of creating a DoS Bypass Rule for your network monitoring tool

These settings can be found under System > System Services > DoS & Spoof Protection

Check the Log Files to see if they give you more information about the events.

Hello Leon,

thanks for your suggestions. I've decided it should be the easiest to create DoS Bypass Rules for the network directly behind the XG as well as for the two networks which are connected to my XG using an IPsec-VPN.

Unfortunately, the effect remains the same: I'm still getting about 15k ICMP PING and 15k ICMP Echo Reply "attacks", equally originating from a webserver behind the XG (private IP) and the VMware ESXi server where the XG is running on (public IP)...

Is there anything else I can try out?

Updating to MR2 didn't solve this problem...

Were you able to get this resolved? We are experiencing a very similar issue, and it appears as though the bypass rules do not affect anything. We have all IPS configured to disabled, and extreme flood numbers, yet ICMP is still being caught as DoS.

Sorry, didn't fix this yet. I hope that it gets fixed in v16

Hi and Welome to the Sophos Community,

Leon's suggestion on this thread is the solution. In case, you still discover ICMP flood then you must have a full AV scan on the servers from where the ICMP attacks are originating. This behavior can be caused due to malware infection and that becomes a local network issue which should be diagnosed asap.

Thanks

As stated above by the original poster and myself, Leon's suggestion does NOT work in this case. This is not malware infection. Any machine on our network which connects to our webservers over VPN will trigger the false DoS attack and there is NO means within Sophos XG to allow the traffic through. I have an open case with Sophos already, which has been escalated twice with no resolution. I came here looking for assistance. Do NOT post false responses to serious issues.

Can you provide me the case# raised with support, I will look into the case and coordinate with Support to achieve a conclusion. Alongside, we would never share any false information on the forum as this will globally transparent.

Your patience will be appreciated.

I spoke with the assigned technician last night. He suggested it may be the IPS prefilter dropping packets, which would happen regardless of IPS policy or bypass rules. He is submitting to the development team for a fix. My case number is: 6387844

I spoke with the assigned technician last night. He suggested it may be the IPS prefilter dropping packets, which would happen regardless of IPS policy or bypass rules. He is submitting to the development team for a fix. My case number is: 6387844