This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I disable a single Signature ID within IPS?

We have software that goes out to a distributors website and downloads updates.  Part of these updates is a batch of Word documents in .docx format that have some ActiveX controls in them that are used for automation.  They cannot be removed and are a normal part of their software.  The problem is, for our standard "web access" rule we have enabled the default IPS rule "LAN to WAN" which is blocking this.  In the firewall we have the following:

We have already added the domain that the downloads come from to the exceptions list under Protect -> Web -> Exceptions and also added the same domains to the "Local TLS exclusion list" but we still get the constant (100's per day) logs and emails and I'm assuming IPS ignores these exceptions.

Is there any way to either add a exception for this SignatureID or modify the default  IPS rule or do I have to create a new IPS rule with all the same settings except for "file-office".  I would like the "file-office" stuff to remain, I really only want this one signature ignored, but I don't see how to do that.



This thread was automatically locked due to age.
Parents
  • Hi,

    yes, you can. You need to add another rule using lan to wan as the policy, then select the SID and change it to disabled and then save your new version of 'My LAN to WAN'. Then use that in all your firewall rules,

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thank-you.  I was hoping to just modify the existing but being a default rule I guess that makes sense that I couldn't.  Would be nice to have a couple extra characters in the policy name as I like being specific in what something is doing (like "LAN to WAN with Exceptions") but at least it's working.

  • or the simple way ... using a writable IPS-Policy  ...

    - open LogViewer / IPS
    - locate your problem
    - click to the signature-ID
    - select "Disable the signature for this IPS Policy"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • or the simple way ... using a writable IPS-Policy  ...

    - open LogViewer / IPS
    - locate your problem
    - click to the signature-ID
    - select "Disable the signature for this IPS Policy"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children