Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 3762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Global Setting

busthead
Can some please explain or point me to a reference of how Astaro processes network traffic? It seems a bit strange to me that we are suppose to specify which Local networks we want to protect.

What would happen if I specified my external Internet facing addresses in the Global IPS settings Local network config?

Thx


This thread was automatically locked due to age.
  • 0
    Not sure, but maybe the Image attached can help you anyhow...

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0
    "What would happen if I specified my external Internet facing addresses...?" [:D] I've made that mistake!  This causes a lockup of your CPU as conntrack and packetfilter (firewall) block a lot of traffic before it ever gets to IPS.  #2 in Rulz provides a useful summary of the chart although it doesn't answer your question here.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I specified both of my external Internet facing addresses and it did NOT lock up anything. In fact, I ran in the configuration for months and IPS appeared to function properly blocking anywhere from zero to a couple hundred attacks a month.
  • 0
    Most organizations don't want to spend extra money for a more-powerful device with more-expensive subscriptions just to block traffic with the Snort engine before it's blocked by the firewall (packetfilter).

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    According to the image that Gaston posted, that's not what would happen since packetfilter is always listed before IPS.
  • 0
    What packetfilter rules apply to traffic arriving at an external interface?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    What packetfilter rules apply to traffic arriving at an external interface?


    The INPUT chain in IPTables... can be seen on the UTM with 
    iptables -n -L

    When Snort is in Inline (IPS) mode, it typically does not listen to the interface(s) directly, but rather IPTables queries Snort with each packet (or stream?).

    Barry
  • 0
    Hi, Barry.  My point was that he's probably putting Snort out front to block traffic that would be blocked "more cheaply" by packet filter rules before iptables asked Snort about the traffic.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner