XG Firewall v18 MR-5: Feedback and experiences

Top Replies

  • The classification process is still broken - ntp, Imaps.

    Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application?

    Creating a application signature…

Parents
  • Reports are still bad, yesterday's download of mr-5 to my mac does not show.

    The classification process is still broken - ntp, Imaps.

    Mail scanning is still broken, over 6000 messages for two people in one day.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • The classification process is still broken - ntp, Imaps.

    Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application?

    Creating a application signature for NTP shouldn't be that hard.


    If a post solves your question use the 'Verify Answer' link.

  • Just FYI - We could reproduce the issue with NTP and will fix this soon with a pattern update. 

    NTP has a category but it fails sometimes to get this matching. NTP =/= NTP in some cases. 

    __________________________________________________________________________________________________________________

  • The newest App pattern should include the NTP Traffic as correctly verified as NTP. 

    __________________________________________________________________________________________________________________

  • Is "18.18.25" the latest pattern update for IPS/App?

    Most of my NTP traffic still isn't being identified correctly.


    If a post solves your question use the 'Verify Answer' link.

  • Can you share a screenshot of this traffic? 

    __________________________________________________________________________________________________________________

  • I've only managed to get a single NTP sync identified correctly as NTP App by the Firewall.

    (Interesting enough It has a Windows machine, everything else on the Log Viewer is either Android/Linux/IOS)

    (I've also manually triggered a NTP Sync on two Linux VM, still didn't got identified. (Used both Systemd-timesyncd, and ntpdate))

    Here's how It currently looks in the Log Viewer:

    Will do a packet capture later to see If It's an issue on my end.

    Thanks for the update!


    If a post solves your question use the 'Verify Answer' link.

Reply
  • I've only managed to get a single NTP sync identified correctly as NTP App by the Firewall.

    (Interesting enough It has a Windows machine, everything else on the Log Viewer is either Android/Linux/IOS)

    (I've also manually triggered a NTP Sync on two Linux VM, still didn't got identified. (Used both Systemd-timesyncd, and ntpdate))

    Here's how It currently looks in the Log Viewer:

    Will do a packet capture later to see If It's an issue on my end.

    Thanks for the update!


    If a post solves your question use the 'Verify Answer' link.

Children
  • The pattern was released ~12:00. 

    My windows clients are getting correctly verified:

    Whats the client, you are seeing? 

    __________________________________________________________________________________________________________________

  • 07:18:13, Jun 15 2021 has the time "18.18.25" got applied on my Firewall. (Different Time-zones.)

    On Linux:

    • SUSE SLES 15.3 VM's (Systemd-Timesyncd) - (Chrony also doesn't get identified.)
    • Arch Linux (Systemd-Timesyncd)

    Both Android 10 & 11.

    Single iPhone 11 on latest IOS.

    EDIT: Only on Windows the NTP Traffic gets identified correctly. (Note: On Windows the Source UDP Port is also 123, meanwhile on everything else It uses >1024 ports.)


    If a post solves your question use the 'Verify Answer' link.

  • Let me get back to the Labs Team to verify this. 

    __________________________________________________________________________________________________________________

  • Still not classifying my NTP traffic, also doesn't classify all Imaps traffic.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.