Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 16932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom IPS Signatures

Brad Fuller

Hi!

The IPS on one of our Sophos XG's is blocking Splashtop from connecting properly, and its being blocked as 

Here is what I have done so far, but no luck.

FQDN Host

sn.splashtop.com - resolves 54.204.11.246, 50.19.125.112
splashtop.com - resolves 23.23.164.150, 50.17.197.204

FQDN Host Group
IPS_Ignore - added sn.splashtop.com and splashtop.com

Custom IPS Signature

Name: Splashtop
Protocol: TCP
Rule: srcaddr:54.204.11.246;srcaddr:50.19.125.112;srcaddr:23.23.164.150;srcaddr:50.17.197.204;
Severity: Warning
Action: Bypass

Custom IPS Policy

IPS_Ignore
Rule Name: Allowed_Traffic
Added Custom Signature : Splashtop
Action: Bypass Session

Created Firewall Rule: IPS:Allow
Position: Top
Source: WAN > FQDN HG IPS_Ignore
Destination: LAN > Any > TCP
Intrusion Prevention: IPS_Ignore

Hit save and nothing happens, the IPS log is still filling up with Dropped packets. 



This thread was automatically locked due to age.
Parents
  • +1

    I went a completely different route, pun intended, and erased everything that I did earlier.

    Here is my new configuration and it works fine now.

    FQDN Host

    sn.splashtop.com - resolves - 54.204.11.246, 50.19.125.112
    splashtop.com - resolves - 23.23.164.150, 50.17.197.204

    FQDN Host Group
    Allowed_FQDN - added sn.splashtop.com and splashtop.com

    Created Firewall Rule: Allowed:FQDN
    Position: Top
    Source: LAN > Any
    Destination: WAN > Allowed_FQDN > TCP
    Intrusion Prevention: none

     

    And voila, no more 17000 IPS alerts.

    You can also use this rule to add more sites, just add them to the Allowed_FQDN HG.

  • 0 in reply to Brad Fuller

    I had the exact same pattern of IPS alerts from the same signature with Splashtop.

    A little more detective work (aided by the splashtop trigger), and I found that if I disabled the splashtop update service, these IPS attack log entries went poof!   Splashtop has a service that looks for a software update every minute.  not needed.  Splashtop still works fine without and the IPS log entries are gone :-)

Reply
  • 0 in reply to Brad Fuller

    I had the exact same pattern of IPS alerts from the same signature with Splashtop.

    A little more detective work (aided by the splashtop trigger), and I found that if I disabled the splashtop update service, these IPS attack log entries went poof!   Splashtop has a service that looks for a software update every minute.  not needed.  Splashtop still works fine without and the IPS log entries are gone :-)

Children
No Data
Unfiltered HTML