Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS tuning

I have both a UTM and a XG running at home. On the XG I see a large number of IPS attacks, now some of these I am aware of because I have a failed IPv6 configuration which tries to ping a server.

The issue is I don't see the same attacks on the UTM, so how do I determine if the attacks are genuine or false postives? If false how do I disable/reduce that rule?



This thread was automatically locked due to age.
Parents
  • Hi Ian,

    Thanks for showing the trust with Sophos Appliances.

    The IPS Signature pattern on XG differs from that on UTM. UTM has a third party managed IPS control where as with XG that is managed through our local database. As both the series have unique software architecture and features.

    To check and rectify the large number of IPS attacks on the XG appliance can you check which Signature is Dropped in IPS log and which IPS Policy is applied in the Firewall Rule acting for the specified VLAN services ? 

    Next, you can navigate to the IPS settings from the following path:

    • Objects
    • Policies
    • Intrusion Prevention

    Click on the Selected IPS Policy.

    Here you can Allow the dropped Signature. If you are using a default policy configured inside Firewall, you can create a new IPS Policy to allow the concerned dropped Signature .

    Let me know if you have any further query on this regards.

    Thanks

    Sachin

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Have you actually been able to make this work?  We have a false-positive on our IPS and I haven't been able to eliminate just that one signature from the policy.  We duplicated an existing policy and I can either eliminate all of signatures in the sub-group or leave it as-is. The web interface flakes out if I keep clicking on check boxes  - they stop toggling between clicked and not clicked, for example.  I have done this in several different browsers and it doesn't seem to make any difference.  

    We have the most current maintenance release of the firmware installed.

Reply
  • Have you actually been able to make this work?  We have a false-positive on our IPS and I haven't been able to eliminate just that one signature from the policy.  We duplicated an existing policy and I can either eliminate all of signatures in the sub-group or leave it as-is. The web interface flakes out if I keep clicking on check boxes  - they stop toggling between clicked and not clicked, for example.  I have done this in several different browsers and it doesn't seem to make any difference.  

    We have the most current maintenance release of the firmware installed.

Children
No Data