Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

openSUSE update triggers IPS false positive

FormerMember
FormerMember

When attempting to update openSUSE, XG drops the connection with the following error in the IPS log SERVER-WEBAPP /etc/passwd file access attempt. Adding a separate firewall rule to the main update domain download.opensuse.org with all policies including IPS disabled has no positive effect. The rule log will show quieries to the domain but it appears that the updates themselves then come from the mirrors directly. This likely is due to download.opensuse.org being a re-director to the various openSUSE update mirrors. 

Could anyone offer advice regarding this issue?

Thanks for your assistance.



This thread was automatically locked due to age.
Parents
  • Did you try to stop the ips service?

    Which XG version are you running?

    Thanks

  • FormerMember
    0 FormerMember in reply to lferrara

    Hi Luk thanks for your reply.

    I only just realized I had neglected to add the version of XG I'm running, I apologize for the oversight. It's version SFOS 17.5.9 MR-9. I believe that I did try halting the IPS service during a previous troubleshooting attempt of this issue but I haven't done so again since applying the most recent stable firmware version. This was an issue I had with the previous firmware as well.

     

    Thanks again for your help. 

  • Hi  

    If stopping the IPS service or removing the IPS policy from the rule fixes the issue, then I would suggest you open up a support case.

    This will need to go to the Sophos signatures team to review the traffic recorded in the packet capture and reproduce it on their end.

    If you are paid for user then its easy to open a support case.  If you are a home based user, then the best you can do right now is to create a source IP rule without IPS enabled on it.

    So please try with IPS off either globally (ie stopping the service completely) or with IPS removed from the rule and let us know how it goes.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hi  

    If stopping the IPS service or removing the IPS policy from the rule fixes the issue, then I would suggest you open up a support case.

    This will need to go to the Sophos signatures team to review the traffic recorded in the packet capture and reproduce it on their end.

    If you are paid for user then its easy to open a support case.  If you are a home based user, then the best you can do right now is to create a source IP rule without IPS enabled on it.

    So please try with IPS off either globally (ie stopping the service completely) or with IPS removed from the rule and let us know how it goes.

    Thanks!

    KingChris
    Community Support | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
  • FormerMember
    0 FormerMember in reply to KingChris

    Hi KingChris, Thanks for joining in and offering your advice. I appreciate it. 

    Sadly, I am a home user so I won't be able to push the issue higher in the chain. Stopping IPS service globally does allow my openSUSE clients to successfully update with out issue. I do believe that it is a signature related problem triggering a false positive. 

    Adding a source IP based rule less IPS over a destination domain based one would work for sure and would be the most reliable solution, though it would be a shame to loose the added protection that it affords for the regular traffic. 

    Due to the way that the openSUSE update chain works, I know adding just the re-director server domain to a rule with IPS disabled is ineffective as the updates themselves will come from one of the many mirrors. That causes the traffic to go through my IPS enabled general rule (the next available rule where the mirror traffic can get though) where it ultimately fails. 

    Adding the mirrors as well to the update rule without IPS appears effective and allows IPS to remain enabled for all other non update related traffic from those systems at this moment, although it's a very inelegant solution with the number of USA mirrors and ultimately could break at any time. 

    Just for the reference of anyone who might be reading this and wish to do so, like most Linux based distros it's possible to have openSUSE query and update from one or more specific mirrors, but it's not desirable as those mirrors could have issues or be very slow causing update problems. Even though it would simplify XG firewall rule creation, it's probably best to avoid doing so and allow openSUSE to have it's default pick of update mirrors.

    The issue is quite easy to reproduce though should a member of the Sophos XG team find themselves with available time to do so. Running even a live version of openSUSE and attempting to update in terminal via Zypper should result in the problem. Updating at all will show the failures logged in XG but running update in terminal yields some quick, helpful troubleshooting info on the client side.

    I do wish I could be of more help with this, though I do understand that Sophos's attention must be focused on its subscription based customers. Hopefully other users of openSUSE may benefit though from this rather rudimentary workaround.  

    Thanks to you and Luk for your timely help with this issue.