Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Many IPS alerts

FormerMember
FormerMember

Good morning everybody!

 

I have many IPS alerts, is that normal?

And not all of the victims IP's are in my network!

I use LAN_TO_WAN standart IPS policy!

 



This thread was automatically locked due to age.
Parents
  • Hi Meghan,

    Make sure you don't have the SSH and HTTPS access open for the WAN zone in Administration | Device Access. It is recommended to uncheck these access to the XG when it is not used.

    Alongside, verify that the IPS patterns are up2date. This is also caused when you have hosted a server through DNAT and external attempts to access this servers are blocked by the XG.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • FormerMember
    0 FormerMember in reply to sachingurung

    Hi Sachin,

     

    SSH and HTTPS access is already closed.

    I havn't got any server, only 3 Clients in the LAN, and I havn't got any DMZ.

    IPS signatures already up to date.

    So why there are so many intrusion attempts?

     

    Regards Meghan

  • Hi Meghan, 

    You may need to check the packet capture for the destination address in the intrusion list. You may find that your local host access some sites that have such vulnerability due to the outdated Web server. This does not indicate that your system is compromised and may need to investigate which URL or sites your host accessed and the reply from the server is logged by IPS policy. 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • Hi Meghan, 

    You may need to check the packet capture for the destination address in the intrusion list. You may find that your local host access some sites that have such vulnerability due to the outdated Web server. This does not indicate that your system is compromised and may need to investigate which URL or sites your host accessed and the reply from the server is logged by IPS policy. 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children
No Data