Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFM IPS Issues - MR1

I thought I would share the repeated issues we've been having with the SFM IPS configuration deployment.  These issues have all been reported to support, but troubleshooting has yet to resolve anything aside from uncover more buggy behavior.  I understand all products will have issues at some point, but this just seems to have issue after issue.  I would like to hear if anyone can actually push IPS policies successfully that make any useful changes, and yes we can push default policies which support keeps arguing means it works...  Our SFM is on the latest firmware, as well as the Sophos XG, and all patterns are updated on the IPS of both devices.

 

Core Issue:

The real issue is that the IPS configuration push fails at some point, you would think there would be some kind of pattern but this is what I've noticed.

 

Sometimes you can successfully push an IPS policy with individual signatures selected, but sometimes it fails immediately after selecting individual signatures(that's the only change on the entire policy when it fails repeatedly).  Although, sometimes you can make the changes you want to (by selecting individual signatures), and synchronize the object down successfully once.  Any subsequent changes however usually fail, though sometimes they do work but rarely stay working after further changes are made.  I have been working with support on this specifically, and still trying to find an actual cause.  Is there a specific character in the name that makes it fail, do the patterns mismatch from the XG and SFM etc (we have already looked into these obvious questions)?  Does anyone have any other helpful information or suggestions?

 

Side Issues:

Other issues I've noticed include duplicate IPS signatures.  Some IPS signatures are duplicated three times, some four times, some five times etc., no type of pattern whatsoever...  You would think this would cause an issue, however there was a test policy that had tons of duplicates in it that still worked after multiple changes and successful synchronizations...

 

The other problem I noticed is the filtering of signatures, apparently it was only designed to work when all signatures are not selected.  If you select a few individual signatures, then the filter becomes completely useless and you have to scroll through thousands of signatures manually just to find it.  Another issue is if you save a policy and go back to the category, it will be in any order other than what it was originally in.  It completely scrambles all the signatures, these to me are minor issues I can live with, but I think you get the idea that the development of the product is anything but experienced.

 

I won't even mention the logging, or should I say lack thereof which everyone seems to say about all Sophos products.

 

Conclusion:

I just sat on the phone with support for another 2 hours to get absolutely nowhere with this issue.  Apparently there are no other reports of IPS issues, I find it hard to believe I am the only one reporting these issues.  My favorite answer by support is, "oh it must be a configuration or network connectivity issue".  Finally I was able to get them to escalate this to a real engineer, my hopes are that they know something.  I will update this post if Sophos can ever fix the core issue, I highly doubt they will fix all the other erroneous behavior though.



This thread was automatically locked due to age.
Parents
  • At this time all IPS policies fail to synchronize with any type of exception set.  As soon as an individual signature is selected, the SFM repeatedly fails to push anything down.  The test object I was talking about previously that "worked", didn't have the proper exceptions set by the support tech so it was an inconclusive test.  Once I adjusted the policy configuration to something that would actually work for us, it failed repeatedly as usual.

     

    If anyone can push down an IPS policy that makes a useful change like setting an exception i.e., please share

     

    I would really like to hear from Sophos about how this got through quality control, or is that even a department there?  Do they actually test their products before shipping them out?  It sure doesn't seem like they do.

     

    My recommendation to anyone using Sophos XG, is the Sophos Firewall Manager is pretty much worthless at this time.  We have submitted all issues to support, which was only forwarded to development where all the problems are created.  It's hard for support to be effective when every single problem is caused by the fact that their developers are simply bad programmers.

Reply
  • At this time all IPS policies fail to synchronize with any type of exception set.  As soon as an individual signature is selected, the SFM repeatedly fails to push anything down.  The test object I was talking about previously that "worked", didn't have the proper exceptions set by the support tech so it was an inconclusive test.  Once I adjusted the policy configuration to something that would actually work for us, it failed repeatedly as usual.

     

    If anyone can push down an IPS policy that makes a useful change like setting an exception i.e., please share

     

    I would really like to hear from Sophos about how this got through quality control, or is that even a department there?  Do they actually test their products before shipping them out?  It sure doesn't seem like they do.

     

    My recommendation to anyone using Sophos XG, is the Sophos Firewall Manager is pretty much worthless at this time.  We have submitted all issues to support, which was only forwarded to development where all the problems are created.  It's hard for support to be effective when every single problem is caused by the fact that their developers are simply bad programmers.

Children
No Data