Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 41 subscribers
  • Views 5699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFM IPS Issues - MR1

Ashok Sethi

I thought I would share the repeated issues we've been having with the SFM IPS configuration deployment.  These issues have all been reported to support, but troubleshooting has yet to resolve anything aside from uncover more buggy behavior.  I understand all products will have issues at some point, but this just seems to have issue after issue.  I would like to hear if anyone can actually push IPS policies successfully that make any useful changes, and yes we can push default policies which support keeps arguing means it works...  Our SFM is on the latest firmware, as well as the Sophos XG, and all patterns are updated on the IPS of both devices.

 

Core Issue:

The real issue is that the IPS configuration push fails at some point, you would think there would be some kind of pattern but this is what I've noticed.

 

Sometimes you can successfully push an IPS policy with individual signatures selected, but sometimes it fails immediately after selecting individual signatures(that's the only change on the entire policy when it fails repeatedly).  Although, sometimes you can make the changes you want to (by selecting individual signatures), and synchronize the object down successfully once.  Any subsequent changes however usually fail, though sometimes they do work but rarely stay working after further changes are made.  I have been working with support on this specifically, and still trying to find an actual cause.  Is there a specific character in the name that makes it fail, do the patterns mismatch from the XG and SFM etc (we have already looked into these obvious questions)?  Does anyone have any other helpful information or suggestions?

 

Side Issues:

Other issues I've noticed include duplicate IPS signatures.  Some IPS signatures are duplicated three times, some four times, some five times etc., no type of pattern whatsoever...  You would think this would cause an issue, however there was a test policy that had tons of duplicates in it that still worked after multiple changes and successful synchronizations...

 

The other problem I noticed is the filtering of signatures, apparently it was only designed to work when all signatures are not selected.  If you select a few individual signatures, then the filter becomes completely useless and you have to scroll through thousands of signatures manually just to find it.  Another issue is if you save a policy and go back to the category, it will be in any order other than what it was originally in.  It completely scrambles all the signatures, these to me are minor issues I can live with, but I think you get the idea that the development of the product is anything but experienced.

 

I won't even mention the logging, or should I say lack thereof which everyone seems to say about all Sophos products.

 

Conclusion:

I just sat on the phone with support for another 2 hours to get absolutely nowhere with this issue.  Apparently there are no other reports of IPS issues, I find it hard to believe I am the only one reporting these issues.  My favorite answer by support is, "oh it must be a configuration or network connectivity issue".  Finally I was able to get them to escalate this to a real engineer, my hopes are that they know something.  I will update this post if Sophos can ever fix the core issue, I highly doubt they will fix all the other erroneous behavior though.



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML