Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 17235 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Many IPS alerts

FormerMember
FormerMember

Good morning everybody!

 

I have many IPS alerts, is that normal?

And not all of the victims IP's are in my network!

I use LAN_TO_WAN standart IPS policy!

 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    And is this a active Attack at my LAN or means this that a unsecure, vulnerabe website were opend?

     

    Thank you in advance!

  • 0

    Hi Meghan,

    Make sure you don't have the SSH and HTTPS access open for the WAN zone in Administration | Device Access. It is recommended to uncheck these access to the XG when it is not used.

    Alongside, verify that the IPS patterns are up2date. This is also caused when you have hosted a server through DNAT and external attempts to access this servers are blocked by the XG.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • FormerMember
    0 FormerMember in reply to sachingurung

    Hi Sachin,

     

    SSH and HTTPS access is already closed.

    I havn't got any server, only 3 Clients in the LAN, and I havn't got any DMZ.

    IPS signatures already up to date.

    So why there are so many intrusion attempts?

     

    Regards Meghan

  • 0 in reply to FormerMember

    Hi Meghan, 

    You may need to check the packet capture for the destination address in the intrusion list. You may find that your local host access some sites that have such vulnerability due to the outdated Web server. This does not indicate that your system is compromised and may need to investigate which URL or sites your host accessed and the reply from the server is logged by IPS policy. 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to FormerMember

    When I leave a w10 box running I get attacks on Windows. Turn the box off an no attacks.

    I get continual attacks on linux and BDOS, which for the moment have stopped.

    But what I don't get are blocked malware and spyware objectionable websites.

    Makes taking the IPS warnings seriously hard.

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • FormerMember
    0 FormerMember in reply to rfcat_vk

    Thank you for your answers!

     

    Can you tell me finally, if I should care about?

    I'm a littlebit concernd because everyday other exploits are reported, and not all IP's are solveable.

    If IPS is not very helpful, should I disable this feature?

    Or is UTM for Home better?

     

     

    Thanks in advance - Meghan

  • FormerMember
    0 FormerMember in reply to FormerMember

    Any ideas?

  • 0 in reply to FormerMember

    On XG a number of the alerts are false positives eg this morning I received an alert for a MS edge scripting attack, I don't have any MS PCs running at the moment.

    From memory on both UTM and XG you need IPS running to take full advantage of some of the other web features. For home use the XG is okay, but not as good as the UTM.

    Unless you are guarding national secrets at home the XG should provide sufficient security.

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML