Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 1277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Not detecting anything

THE_INV1CTUS
Hello all. 
I installed UTM 9 (Home Edition) about 6 months ago and I have IPS enabled with the default attack-paterns, Anti-DDOS and Anti-Portscan.

The Internal network is in my Local Network on the first tab (Global). IPS never detected anything, do I have to do something else ?

Thank you for your help.


This thread was automatically locked due to age.
  • 0
    unless you have it misconfigured no detections is a good thing..[:)]
  • 0
    I have had IPS enabled for long time with no detection.  Web Filter catches some stuff.  So lately I have disabled IPS and it has helped make web more  snappy even with Web Filter turned on and Both Virus Scanners enabled.
  • 0
    no..leave it on.  This is integral to the advanced threat protection function of the system.  You need to have http proxy on, application visibility on and ips on and then advanced threat protection.  Unless your system is underpowered or highly overpowered the performance hit should be negligible and you seriously upgrade your networks security.
  • 0
    Thank you for your response. 
    I doubt no attack are being done on the network....
    The dashboard, daily or weekly reports always shows 0 IPS detected, but the live log has the following:

    2015:03:05-11:40:47 mcbf ulogd[4469]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="64.254.24.110" dstip="xx.***.x.***" proto="17" length="1376" tos="0x00" prec="0x00" ttl="51" srcport="4500" dstport="64118"
    2015:03:05-11:40:47 mcbf ulogd[4469]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="64.254.24.110" dstip="xx.***.x.***" proto="17" length="1376" tos="0x00" prec="0x00" ttl="51" srcport="4500" dstport="64118"
    2015:03:05-11:40:47 mcbf ulogd[4469]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="64.254.24.110" dstip="xx.***.x.***" proto="17" length="1376" tos="0x00" prec="0x00" ttl="51" srcport="4500" dstport="64118"
    2015:03:05-11:40:47 mcbf ulogd[4469]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="64.254.24.110" dstip="xx.***.x.***" proto="17" length="1376" tos="0x00" prec="0x00" ttl="51" srcport="4500" dstport="64118"

    and a lot more...
  • 0
    A UDP flood isn't counted as an IPS rule violation.
  • 0
    It looks to me like you need an exception for that IP as someone is trying to connect with IPsec.

    Cheers - Bob