I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3
This thread was automatically locked due to age.
I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3
Hi Guys,
Yesterday I installed XG310 (SFOS 17.5.3 MR-3) at client site.
It is in bridge mode after MKtik router doing NAT+Routing+VPN+basic FW.
Still there are a TON of false IPS positives. TCP related, IMAP related, Print spooler related(just some broadcasts), DNS related(replies from 8.8.8.8).
So this is redicilous.
Disabling is just temp solution? Even in upgrade does it stop/lower efficiency of IPS?
Have a nice day! Greetings!
Hi,
does anybody know if this is lowering the detectionrate of the IPS?
_______________________________________________
Sophos XG User
I just want to ask again, if somebody knows if disabling "Anomaly Detection" lowers the detection/protection rate of the IPS system.
Is this issue solved in v18 EAP, so that Anomaly Detection is working again?
_______________________________________________
Sophos XG User
This issue is resolved in SFOS v17.5.8 MR-8. By default the setting will be enabled, as it was causing too many false positive detections.
This issue is resolved in SFOS v17.5.8 MR-8. By default the setting will be enabled, as it was causing too many false positive detections.
Hi FloSupport
Thanks for the reply. BUT could you please answer the questions above.
Is disabling IPS anomalies LOWERs the protection and effectiveness?
Thanks!
Have a nice day!
Yes, disabling any IPS setting/signature affects protection somewhat.
This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.
Copy and paste of the information I provided previously:
Regards,