Custom IPS Signatures

Question

Hi! 
 The IPS on one of our Sophos XG's is blocking Splashtop from connecting properly, and its being blocked as 
 
 Here is what I have done so far, but no luck. FQDN Host 
 sn.splashtop.com - resolves 54.204.11.246, 50.19.125.112 splashtop.com - resolves 23.23.164.150, 50.17.197.204 
 FQDN Host Group IPS_Ignore - added sn.splashtop.com and splashtop.com Custom IPS Signature Name: Splashtop Protocol: TCP Rule: srcaddr:54.204.11.246;srcaddr:50.19.125.112;srcaddr:23.23.164.150;srcaddr:50.17.197.204; Severity: Warning Action: Bypass Custom IPS Policy IPS_Ignore Rule Name: Allowed_Traffic Added Custom Signature : Splashtop Action: Bypass Session 
 
 Created Firewall Rule: IPS:Allow Position: Top Source: WAN > FQDN HG IPS_Ignore Destination: LAN > Any > TCP Intrusion Prevention: IPS_Ignore 
 Hit save and nothing happens, the IPS log is still filling up with Dropped packets.

Brad Fuller · Answer

I went a completely different route, pun intended, and erased everything that I did earlier. 
 Here is my new configuration and it works fine now. 
 FQDN Host 
 sn.splashtop.com - resolves - 54.204.11.246, 50.19.125.112 splashtop.com - resolves - 23.23.164.150, 50.17.197.204 
 FQDN Host Group Allowed_FQDN - added sn.splashtop.com and splashtop.com 
 Created Firewall Rule: Allowed:FQDN Position: Top Source: LAN > Any Destination: WAN > Allowed_FQDN > TCP Intrusion Prevention: none 
 
 And voila, no more 17000 IPS alerts. 
 You can also use this rule to add more sites, just add them to the Allowed_FQDN HG.

sachingurung · Answer

Hi Brad, 
 Did you disable IPS and verify, if it is actually blocking the application? Alongside, instead of creating a custom IPS signature, you ca simply allow the blocked signature in the IPS policy. If you have specific requirement and need a custom signature then please PM me the screenshot of the configuration and code to verify it further. 
 Thanks