Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Log Messages: Anomaly - Removed the urgent flag and pointer in TCP header / Enforces IPS protection

For some time, we get the following IPS Log Messages:

Example 1

2024-01-16 12:12:20 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="140" fw_rule_name="x1" fw_rule_section="Local rule" user="xxx@xxx.de" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="10.20.30.25" src_country="R1" dst_ip="172.16.16.142" dst_country="R1" protocol="TCP" src_port="64642" dst_port="1521" OS="All" category="Misc" victim="All"

Source is an internal Client PC with our Software Application using Oracle Client to access your internals Oracle DB Server as destination. All internal / LAN Traffic.

Example 2

2024-01-16 13:05:01 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="137" fw_rule_name="x2" fw_rule_section="Local rule" user="" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="172.16.16.142" src_country="R1" dst_ip="10.20.1.11" dst_country="R1" protocol="TCP" src_port="51806" dst_port="1521" OS="All" category="Misc" victim="All"

Source is an Oracle DB Server accessing another Oracle DB Server. All internal / LAN Traffic.

Settings

Intrusion prevention -> IPS policies -> IPS protection: ON

Firewall Rule 140 and 137 has IPS disabled (none) as it is internals Traffic.

Why is IPS still active, and how can I prevent it from messing with my Traffic?

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/IPSPolicies/index.html#turn-on-ips-protection
From the online help, it is not clear to me what "IPS protection: ON" does. Help says "IPS switch ON = Enforces IPS protection". But does is mean IPS is always ON no matter how the Firewall Rule IPS Setting is configured? Looks like it.
Further helps says: IPS switch: Off -> Doesn’t update signatures. You can add IPS policies to rules (example: firewall rules). ? So than I can change IPS by Firewall Rule but don't get signature update?

SFOS 19.5.3 MR-3-Build652



This thread was automatically locked due to age.