TCP Disconnect with IPS-Pattern updates ??

Question

We have some customers who use quite sensitive software. We have had repeated session drops with one customer (always at noon on Tuesdays -GMT-) The IPS patterns are said to have been updated at this time today. IPS is only active for some external connections. Not for the "sensitive" internal ones. They are running version 20.0.1 MR1 Could there be a connection? 
 Thanks Dirk

LHerzog · Answer

isn't it so that the traffic "always" flows through IPS/DPI? You could exclude the firewall rule only for the sensitive traffic from inspection. Maybe that's a workaround? 
 set ips ac_atr exception fwrules <add at most eight firewall rule IDs, comma separated>

Mayur Makvana · Answer

Hello, 
 Thank you contacting the Sophos Community! 
 As per the description, I believe it may not be the IPS which could be causing an issue. As if the IPS would be dropping the traffic in that case it will continue to drop if any matching signature triggered. 
 We suggest collecting below logs from the advance shell and saving them on putty. 
 1. tcpdump -nei any host destIP 
 2. Conntrack -E 
 3. Packet capture using KBA: https://support.sophos.com/support/s/article/KB-000037007?language=en_US 
 4. Collect the drop packet using KBA: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/index.html#drop-packet-capture 
 With this information, I would suggest raising the support case to take it further.

TCP Disconnect with IPS-Pattern updates ??

Top Replies