Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 2 subscribers
  • Views 2311 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Not working at all?

GLHTurbo
Hello,

I have an Astaro home use license, and I am having trouble getting IPS to work.  I have my internal network listed in the "Local networks" list, but I am seeing NO hits at all on my system in the IPS logs.  This seems odd to me, because back when I was using another firewall product, I got hits all the time on Snort.  Have I setup something wrong?  I am somewhat of a noob to the firewall scene, but I am a software engineer, so I am computer literate, and can provide any additional details if necessary.

Picture of setup:


Picture of logging:


This thread was automatically locked due to age.
Parents
  • 0
    Remove the internal network and replace it with your external network.

    Ian, you don't mean to put the external network in 'Local networks' in 'Intrusion Prevention', do you?  I did that at one customer site back when I first started doing this, and they consistently got locked up during busy times.  It was not my finest hour!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Do NOT put your external network in the Local Networks list... the OP's config, at least on that screen, is correct.

    It's not too unusual to go for a while without a rule being tagged, especially if you aren't publishing typical targets, like website, to the outside world.  If you want to verify if it's doing it's job, run a portscan against it from one of the free sites... you will probably see the Portscan rule getting triggered (if you have portscan enabled)... or if you have access to vulnerability testing tools, run them against your external interface.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Hi Guys,
    suitably chastised.

    I have had my external network in the IPS for many months, it is the only time I get IPS alerts.
    Nothing locks up or locks me out, the cpu runs under 1%, memory runs about 40% 0f 1900mb.
    This is with 4  or 5 users, most proxies and time managed packet filters and proxies in place.

    Ian M
  • 0 in reply to RFCat_vk_01
    RFCKat, that internal networks setting has a bearing on how the IPS rules are evaluated, that's why it's important that it's set right.  Sorry if my post sounded harsh (didn't mean it to be so).

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to RFCat_vk_01
    RFCKat, that internal networks setting has a bearing on how the IPS rules are evaluated, that's why it's important that it's set right.  Sorry if my post sounded harsh (didn't mean it to be so).

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner