Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS action "Bypass Session" making confusion

Deepak Verma

Dear All,

There is an action in the IPS policy "Bypass Session" and as per documents "Bypass Session - Allows the entire session if detects any traffic that matches the signature." and recommendation for the same is:

"To save resources and avoid latency, set action as “Bypass Session” as in this, if the initial packets match the signature then the rest of the session packets will not be scanned at all."
 
Is he talking about the signatures which are having the default action "Allow" or for all signatures? Why I am asking this question because suppose there is a signature with Critical and default action for this packet is dropped, at this condition what will happen if I will select an action as "Bypass Session"? 
 
 
Regards,
Deepak Kumar


This thread was automatically locked due to age.
  • 0

    Hi Deepak,

    The action will be taken considering the order of the added rules in the IPS Policy. The scanning will be done in TOP to BOTTOM direction, if there is a drop action rule on the top of bypass action rule then, the signature connection will be dropped.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

    • 0 in reply to sachingurung

      Hi,

      I agree with you that scanning will be done from TOP to BOTTOM direction and If any signature will match, applied the action and skip for more testing. 

      My Question is based on below picture-

       

       

       

      Now, I have selected the bypass session in the action menu. Then what will difference in the action between Recommended and Bypass Session?

       

      Regards,

      Deepak Kumar

      Regards,

      Deepak Kumar

      Sophos Architect | NSE 4 | CCNP | CISE 

      • 0 in reply to Deepak Verma

        Recommended actions are shown in the right column of the configuration window of the screenshot. If you select the action as Bypass Session, then this custom setting will override the Default recommended action and bypass, i.e., allow the signature. 

        Thanks,

        Sachin Gurung
        Team Lead | Sophos Technical Support
        Knowledge Base  |  @SophosSupport  |  Video tutorials
        Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

        • 0 in reply to sachingurung

          Hi,

          Thanks for your update.

          If it will allow the signatures then why I will configure IPS? 

          It will same as I will not configure the IPS under the firewall policy or I will change the default action to Bypass. Why will I increase latency and system resource uses on the hardware?

           

          Regards,

          Deepak Kumar

          Regards,

          Deepak Kumar

          Sophos Architect | NSE 4 | CCNP | CISE 

          • 0 in reply to Deepak Verma

            Hi Deepak,

            In case of false positives, it will be helpful to bypass one signature than to disable the whole policy.

            Thanks

            Sachin Gurung
            Team Lead | Sophos Technical Support
            Knowledge Base  |  @SophosSupport  |  Video tutorials
            Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.