Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP Disconnect with IPS-Pattern updates ??

We have some customers who use quite sensitive software.
We have had repeated session drops with one customer (always at noon on Tuesdays -GMT-)
The IPS patterns are said to have been updated at this time today.
IPS is only active for some external connections. Not for the "sensitive" internal ones.
They are running version 20.0.1 MR1
Could there be a connection?

Thanks Dirk



This thread was automatically locked due to age.
Parents
  • When this happen, do you know, how much Memory is available for the appliance? 

    Additionally, is the connection a long run connection? 

    Any hint this changed in the latest version? Because there were not changes in the IPS.

    BTW: The "UTM" approach is currently not possible, as IPS / Snort is much more included within the engine compared to UTM, which simply could bypass it. 

    You could, for this customer, workaround this by changing the time, when IPS doing a pattern update. 

    __________________________________________________________________________________________________________________

Reply
  • When this happen, do you know, how much Memory is available for the appliance? 

    Additionally, is the connection a long run connection? 

    Any hint this changed in the latest version? Because there were not changes in the IPS.

    BTW: The "UTM" approach is currently not possible, as IPS / Snort is much more included within the engine compared to UTM, which simply could bypass it. 

    You could, for this customer, workaround this by changing the time, when IPS doing a pattern update. 

    __________________________________________________________________________________________________________________

Children
  • Hi,

    I can't say anything about the memory without checking it more closely, but an XGS2100 with just network protection+IPS+webfilter shouldn't reach its limits

    all these connections are active some days

    We have SFOS 20.0.1 MR1 here. Other customers with a similar environment and 20.0.0 don't have the problem

    We have just migrated from SG to XGS. Therefore, there is no "before"

    How can I adjust the IPS pattern update time?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Essentially the time when you say "Start Cycle" will be responsible. 

    So if you do Daily and press Apply, it will be every 24h on that time. 

    __________________________________________________________________________________________________________________

  • isn't it so that the traffic "always" flows through IPS/DPI? You could exclude the firewall rule only for the sensitive traffic from inspection. Maybe that's a workaround?

    set ips ac_atr exception fwrules <add at most eight firewall rule IDs, comma separated>