Some customers may experience an issue where IPS is causing legitimate traffic to be dropped and the IPS log to be filled.
Applies to the following Sophos product(s) and version(s) Sophos FirewallSophos Firewall XG Software v17.1.3 MR3
Some traffic may not get to the intended client or web server.
These types of IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
Note: The fix for this issue was implemented in SFOS v17.5.8 MR8.
Please login to the XG via SSH and go to the following options:
Option "4. Device Console":
Then run command: set ips tcp_option detect_anomalies disable This setting will be disabled by default starting with SFOS v17.5.8 MR8 due to customers experiencing excessive false-positives.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.