Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 22 replies
  • Subscribers 30 subscribers
  • Views 56387 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Probably a bug] IPS engine restarting constantly

IeM

TLDR; since firmware SFOS 16.01.1 the IPS service dies and keeps restarting. Probably the reason why the service cannot init:
/bin/snort: /lib/libcrypto.so.1.0.0: no version information available (required by /bin/snort)

Related/Relevant forum threads:

[1] Upgrade Sophos XG from SFOS15 to SFOS16 and "lost internet access". Reverting back to SFOS15 as well ass disabling the IPS service fixed it. community.sophos.com/.../315511

[2] "IPS keeps restarting". community.sophos.com/.../version-16-beta-5-and-ga-ips-keeps-restarting

--

Hi there,

Upgraded my Sophos XG Firewall (from SFOF 15.x) to version SFOS 16.01.2. After the upgrade no changes have been made to the configuration. Short after the upgrade I found out that all in- and outgoing traffic is blocked. I have traced it back to the IPS service. Stopping these service will result in allowing traffic.

IPS
Nothing shows up in my log file (log viewer) despite that IPS logging is enabled. Also the IPS status gives the status back that 0 packets are dropped. Disabled the IPS policy for the rules on which the firewall should hit but that is not making any sense. 

Firewall
The firewall is blocking the traffic because it is 'invalid traffic'.

Using the device console I have dumped some traffic on the network. Below is an example packet (that is blocked):

2016-12-25 16:36:57 0102021 IP 172.17.29.3.33533 > 5.153.231.35.80 : proto TCP: P 3441838487:3441838
649(162) win 229 checksum : 52802                                                                   
0x0000:  4500 00d6 4fab 4000 4006 34a6 ac11 1d03  E...O.@.@.4.....                                  
0x0010:  0599 e723 82fd 0050 cd26 4997 2a9a a931  ...#...P.&I.*..1                                  
0x0020:  8018 00e5 ce42 0000 0101 080a 0011 5bc2  .....B........[.                                  
0x0030:  110f 6655 4745 5420 2f64 6562 6961 6e2f  ..fUGET./debian/                                  
0x0040:  6469 7374 732f 6a65 7373 6965 2f49 6e52  dists/jessie/InR                                  
Date=2016-12-25 Time=16:36:57 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port6 out_dev= inzone_id=0 outzone
_id=0 source_mac=32:64:36:64:38:38 dest_mac=36:65:61:65:39:36 l3_protocol=IP source_ip=172.17.29.3 d
est_ip=5.153.231.35 l4_protocol=TCP source_port=33533 dest_port=80 fw_rule_id=0 policytype=0 live_us
erid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=
0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_
id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gatew
ay_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=
N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tr
an_dst_port=N/A  >

What can be the cause? Any help is appreciated.


Regards, Ilias



This thread was automatically locked due to age.