Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 16967 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS tuning

IanMorehouse

I have both a UTM and a XG running at home. On the XG I see a large number of IPS attacks, now some of these I am aware of because I have a failed IPv6 configuration which tries to ping a server.

The issue is I don't see the same attacks on the UTM, so how do I determine if the attacks are genuine or false postives? If false how do I disable/reduce that rule?



This thread was automatically locked due to age.
  • 0

    Hi Ian,

    Thanks for showing the trust with Sophos Appliances.

    The IPS Signature pattern on XG differs from that on UTM. UTM has a third party managed IPS control where as with XG that is managed through our local database. As both the series have unique software architecture and features.

    To check and rectify the large number of IPS attacks on the XG appliance can you check which Signature is Dropped in IPS log and which IPS Policy is applied in the Firewall Rule acting for the specified VLAN services ? 

    Next, you can navigate to the IPS settings from the following path:

    • Objects
    • Policies
    • Intrusion Prevention

    Click on the Selected IPS Policy.

    Here you can Allow the dropped Signature. If you are using a default policy configured inside Firewall, you can create a new IPS Policy to allow the concerned dropped Signature .

    Let me know if you have any further query on this regards.

    Thanks

    Sachin

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Have you actually been able to make this work?  We have a false-positive on our IPS and I haven't been able to eliminate just that one signature from the policy.  We duplicated an existing policy and I can either eliminate all of signatures in the sub-group or leave it as-is. The web interface flakes out if I keep clicking on check boxes  - they stop toggling between clicked and not clicked, for example.  I have done this in several different browsers and it doesn't seem to make any difference.  

    We have the most current maintenance release of the firmware installed.

  • 0 in reply to sachingurung

    Hi Sacchin,

    Thank you for the explanation. I did not receive an email indicating that there had been a response to my thread, in fact I haven't received any emails from the fourm for the last week or so.

    I am using the default wan to lan policy which you cannot edit. The other policies appear to be counterintuitive to me eg the wrong way around, protecting the internet from my devices?

    Also the IPS logs do not show which specific rule is being reported on, just dns is dropped or ssl is dropped.

    Update:- I have created my on rule, but it still requires to be editted to remove IPS rules. More to learn.

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

Unfiltered HTML