Disable Stateful Inspection

Is there any way to make certain policies stateless rather than stateful?

Yes we know what it means and the reasons behind both, so not looking for lectures or an opinion. Just a yes or a no.

Please advise, thank you.

  • as far as I know ... no.

    there is no Option from GUI and design if made for stateful inspection.

  • In reply to dirkkotte:

    How about via command?

  • In reply to MattWegrzyn:

    The firewall should be based on iptables.
    Since UTM/SG writes/reloads the configuration frequently, I think that changing the resulting configuration is not an option.
    but the following may help:
    iptables -t raw -A PREROUTING -j NOTRACK
    coderwall.com/.../disable-iptables-connection-tracking

    but I'm really interested in knowing the use case ... there might be a better option

  • In reply to dirkkotte:

    All of our network issues were Sophos related. We have a lot of traffic and Sophos "protects" our network from the outside world traffic coming into our network. (HTTP, DNS traffic mostly).

     

    Our issue is that there have been many times where we had network issues/outages due to Sophos running out of iptable space / reaching connection limits on very small amounts of traffic due to internal hardcoded limitations.

     

    I don't see a reason for our Sophos firewall to track connections for HTTP/DNS traffic since we don't use any session based handling of such traffic anyway. We already have many DDOS devices and solutions in place but still every no wand again we have a tiny spike in traffic (say 10MBPS) that completely uses up the session tables and causes Sophos to not accept new connections and start logging errors.

    Technically at this point, we don't really use Sophos for anything more than VPNing into our network (that is the only area we'd continue to need session handling).

    I guess if there's a way to tune it and make it stateless for certain traffic policies, that'd be huge help. If not, a recommendation to a different software/hardware we can use.

  • In reply to MattWegrzyn:

    "don't see a reason for our Sophos firewall to track connections for HTTP/DNS traffic since we don't use any session based handling of such traffic anyway"

    Stateful inspection is used every time you make a request to the internet (DNS/NTP/HTTP/SMTP). You need this to allow the corresponding answer-packets the way back to your network.

    The connection is written to contrack only if connection is allowed. So only "needed" traffic should fill this table.

    I never seen contrac-limit related disruptions ... which device/license do you use for how many users/devices?

    Can you show us connection statistic from your device?

     

  • In reply to MattWegrzyn:

    "Our issue is that there have been many times where we had network issues/outages due to Sophos running out of iptable space / reaching connection limits on very small amounts of traffic due to internal hardcoded limitations."

    How do you know that?

    You can find the initializations used for iptables in /etc/init.d/iptables.

    Cheers - Bob

  • In reply to BAlfson:

    We know because the errors end up in the kernel logs and other various logs throughout the years. Overall, Sophos GUI is great and user friendly, but the actual software that handles traffic is a disaster when it comes to our business. It's been the biggest pain on our network and we wish we can easily swap it out right now but can't without major downtime. I won't mention how we originally purchased 10GBPe modules only for them not to properly work. Endless back and forth with the useless Sophos support and the only solution was to downgrade to 1Gbpe.

    If not for ARBOR DDOS in cloud+on premise device, this Sophos box would be down on a daily basis. As mentioned, 10MBPs can knock it offline. The datasheet/advertising is just a blatant lie. It can't handle gigabits of traffic when there are other limitations that cause downtime at 10mbps.

    Right now we don't use Sophos for any protection. We have every security measure disabled that we can, other than the typical policies that are just ACL rules. And even those are causing issues as per this thread post.

  • In reply to dirkkotte:

    Dirk, with your logic we wouldn't be up if the Sophos didn't exist. But that's not the case because we can remove Sophos and have a server connected straight to the internet. So where is the session being handled then?

    I'm talking about session handling / tracking within Sophos. That is what the issue is. Not how the internet works.


    Connection usage when things are working smoothly:

     

     

    When things go awry this either shoots up or it just gets completely F-ed up. And it's all due to session/conn handling and tracking. I will try to find some logs for you guys to see.

  • In reply to MattWegrzyn:

    Just out of interest, what size / model of SG are you using?

    BR

    Alex

  • In reply to MattWegrzyn:

    We've been thru it all. The 650, 625, 450, etc.

     

    It's all the same issue.

  • In reply to MattWegrzyn:

    These are old but one of MANY DOZENS of DIFFERENT types of errors found in kernel logs. Honestly, we eventually stopped trying to go after each and every one because support wasn't adequate. Example:

    2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 1 sessions from cache for memcap. 11340 scbs remain. memcap: 8387435/8388608
    2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 2 sessions from cache for memcap. 11338 scbs remain. memcap: 8387442/8388608
    2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 1 sessions from cache for memcap. 11337 scbs remain. memcap: 8387228/8388608
    2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 5 sessions from cache for memcap. 11333 scbs remain. memcap: 8388621/8388608
    2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 5 sessions from cache for memcap. 11328 scbs remain. memcap: 8389773/8388608

     

     

    Most issues however were to do with 'conntrack' errors. As mentioned, a 10MBPs flood can cause many issues.

  • In reply to MattWegrzyn:

    Matt, what does your Sophos reseller Partner say about this?  Did they create the support case with Sophos or did you?

    The log you just showed is from IPS and is not the system log.  Do you have a recent example of relevant lines in the system and fallback logs?

    Cheers - Bob

  • In reply to BAlfson:

    Maybe we should have you as our partner.


    They don't have a damn clue. Once it got passed sales, it's like they have no clue whatsoever.

     

    Unf, there's been a few issues over last few months but I didn't save the logs. Next time it comes up I'll post it here. We bought the Arbor device to place in front of Sophos to protect us which does bulk of the job. However, if we remove that I know we'd have issues almost on a daily basis. I can't disable them since it's on the production environment. 

     

    Now it's just that once in a blue moon time where the Sophos becomes the bottle neck. Got a direct contact? If you do partner support / consulting we'll be glad to pay.

  • In reply to BAlfson:

    I created the support case but all the support tickets are not accessible for some reason. Thus I cannot get the info from them.