Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 6900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Log Messages: Anomaly - Removed the urgent flag and pointer in TCP header / Enforces IPS protection

philbert

For some time, we get the following IPS Log Messages:

Example 1

2024-01-16 12:12:20 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="140" fw_rule_name="x1" fw_rule_section="Local rule" user="xxx@xxx.de" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="10.20.30.25" src_country="R1" dst_ip="172.16.16.142" dst_country="R1" protocol="TCP" src_port="64642" dst_port="1521" OS="All" category="Misc" victim="All"

Source is an internal Client PC with our Software Application using Oracle Client to access your internals Oracle DB Server as destination. All internal / LAN Traffic.

Example 2

2024-01-16 13:05:01 IPS messageid="06001" log_type="IDP" log_component="Anomaly" log_subtype="Detect" ips_policy="" ips_policy_id="0" fw_rule_id="137" fw_rule_name="x2" fw_rule_section="Local rule" user="" sig_id="1" message="Removed the urgent flag and pointer in TCP header" classification="Potentially Bad Traffic" rule_priority="2" src_ip="172.16.16.142" src_country="R1" dst_ip="10.20.1.11" dst_country="R1" protocol="TCP" src_port="51806" dst_port="1521" OS="All" category="Misc" victim="All"

Source is an Oracle DB Server accessing another Oracle DB Server. All internal / LAN Traffic.

Settings

Intrusion prevention -> IPS policies -> IPS protection: ON

Firewall Rule 140 and 137 has IPS disabled (none) as it is internals Traffic.

Why is IPS still active, and how can I prevent it from messing with my Traffic?

https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/IPSPolicies/index.html#turn-on-ips-protection
From the online help, it is not clear to me what "IPS protection: ON" does. Help says "IPS switch ON = Enforces IPS protection". But does is mean IPS is always ON no matter how the Firewall Rule IPS Setting is configured? Looks like it.
Further helps says: IPS switch: Off -> Doesn’t update signatures. You can add IPS policies to rules (example: firewall rules). ? So than I can change IPS by Firewall Rule but don't get signature update?

SFOS 19.5.3 MR-3-Build652



This thread was automatically locked due to age.
Unfiltered HTML