IPS Blocking legit traffic speedtest.net / IPS impacting performance even if IPS is not enable in the rule

Question

I get thousands of this alerts every time I use https://www.speedtest.net/ 
 
 "Data sent on stream after TCP Reset received" 
 
 Does it make sense? how can I disable it or fix the issue? 
 The IP belongs to the service 
 
 It's a bug?

SaschaParis · Accepted Answer

Helo IOraiden 
 
 This is not a bug nor is snort "wrong implemented". But this is behaviour as designed in SFOS. XG Firewall also uses snort for application classification, and application classification is per XG design globally activated to get all those fancy application reports in reporting. Also means, that IPS always touches the traffic, even if there is no explicit IPS (or AppControl) rule in place. 
 
 You can disable that behaviour in the device console using the command 
 system application_classification off 
 
 AppControl and IPS is afterwards still active for any rule where app or ips policy is in place, but it will not touch anymore traffic which has no such policy in place. Means you will reach even on low end hardware easily linespeeds then w/o app and ips policy in place. 
 
 Hope that helps (and please also give feedback if it DID help or not ;o)) 
 
 /Sascha

l0rdraiden · Answer

I have applied this solution 
 https://community.sophos.com/kb/en-us/133096 
 https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/108353/ips-blocking-even-if-fw-rule-says-to-not/398962#398962 
 
 Now not only I dont get those alerts, I have full speed on upload 300Mbps with this setting enabled I got around 260 Mbps and thousands of alerts 
 FloSupport

SaschaParis · Answer

Concerning: 
 "So to be clear by enanling this option I lose all the functionality related to "Cloud Applications" or is there something else?" 
 No, you don't loose anything besides reporting of used applications for traffic matching a firewall rule where's no app or ips policy in place. For all other firewall rules XG behaves as before.

LuCar Toni · Answer

Hi, 
 There is an old Topic about this. 
 https://community.sophos.com/kb/en-us/125458

Michael Dunn · Answer

The following is based on my understanding - and this is not my area of expertise. 
 
 There are two concepts - monitoring and control. There is also IPS, DoS, Advanced Threat Protection, and Applications. All of these use snort. When you "turn off" all these features, you are turning off control. You are turning off taking action. You are not necessarily turning off monitoring. For example, with everything in the UI turned off, the you will still see reporting telling you there was Skype traffic, etc. Because snort is still working, monitoring the data packets and reporting on it. 
 
 As far as I know, in addition to turning off the features you can see in the UI, there is also a backend way of turning off the monitoring of applications. I do know the... order of precedence - in other words I don't know if turning this off supersedes the other configuration, or other impacts. Unfortunately for "can someone tell me what this command does exactly" I don't have a precise answer, it is not my area. 
 system application_classification on/off/show

Now application control actually has multiple ways of identifying applications - one is using snort, another is using the web proxy, and another is using certain cloud mechanisms. When the web proxy is used to determine applications in HTTPS that is called "microapp" which IMO is a stupid and confusing name - which is why we've eliminated it from the UI. Microapp monitoring (note I say monitoring and not control) is tied to web proxy configuration and cannot be turned on or off independently of the web proxy configuration. If the proxy can detect the application, it reports on it, there is no performance hit. The web proxy also reports on the category of the website and the filetype of the downloads even if you have no policy based on categories or filetypes, just as it reports on applications. The backend option "microapp-discovery" is a special proof of concept mode that forces certain things on, please leave it at the default off. Cloud application monitoring (and maybe control, I don't know) is also done outside of snort. The command ( system application_classification on/off/show ) is used by snort, it is not used by the web proxy, I don't know about other systems. 
 
 I don't know if it helps but.... our snort does not decrypt SSL, such as within an HTTPS connection. So any monitoring or control that involves decrypted traffic is not done within snort. That is why when you get down to the implementationdetails microapps (web application) and cloud applications are slightly different from other applications. There is a balance of giving admins all the implementation details versus simplifying for management. 
 
 So if performance is more important than reporting, you could turn application_classification off. Please note that this mode is very rarely used and therefore not as well understood/tested. You will find fewer support people who know it. 
 
 However I want to go back to the premise.... Does the speedtest actually mean anything useful. Lets say that I buy a car that is advertised as being able to travel 200 km/h on the racetrack. Now I take that car over to a private racetrack and I only get 180 km/h. I find out that I can take out the back seat and get 200 km/h. Should I remove the backseat? No. Because I don't drive on racetracks. I drive on city streets, I'm limited to 120 km/h on the highway anyway. 
 
 But we are not talking about cars here. We are talking about computer networks. In the real world how many times do you have a single client within your network downloading/uploading hundreds of MB/s? You don't. You have 20 clients or 200 clients downloading things at the same time and the aggregate of them all equals your total bandwidth. There are choices that are made within the XG that work better when there are many clients and work worse when there is a single client. Speedtest and other sites are great at single client tests, and they are absolutely a tool that you can look at and use. But they are not the source of truth for whether your end users are going to have their speed or bandwidth affected by the XG. 
 If you are running into a real world bandwidth problem, you have a choice. Throw more hardware at it (upgrade to a bigger box) or have the software do less (turn off monitoring). But I would only do those things if I have a real world bandwidth problem. I wouldn't do that so I could score higher on a speedtest. 
 
 Or to look at it another way - do you want to tune your XG to speedtest or to real world. Speedtest can inform you about real world but it isn't the same thing. Want to be faster? Turn off antivirus and speedtest will give you better results. What to run in the real world with antivirus off? It depends on what you want your XG to do.

rfcat_vk · Answer

I gave up on that site because without an open firewall rule I only received latency errors. 
 It needs its own rule without http/s scanning because it cannot cope with s proxy. 
 Ian