Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identifying IPS signatures being hit

Here are some logs of IPS signatures being blocked or detected.  I'd like to allow them.

How is one supposed to find which sigature is actually being tripped?  

Date / Time Signatures Drop username LocalIP :TCP(54850) RemoteIP :TCP(8080) 20
Date / Time Signatures Drop - LocalIP :GRE(0) RemoteIP :GRE(0) 293
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50775) 1060130022
Date / Time Signatures Detect username RemoteIP :TCP(8080) LocalIP :TCP(50764) 1120625011


I build a new rule modeling it off the LAN to WAN.  I can't search for 20, 8080, GRE, 293, 1060130022 nor 1120625011 and get a hit that makes sense.  GRE returns vaules such as Greetings or Postgresql.  293 returns nothing.  20 has 900+ results dealing with CVEs, 1060130022 nothing, etc.

Outside of turning off IPS how is one supposed to tune this?



This thread was automatically locked due to age.