EAP2: Please try this IPS scanning enhancement

Since version 18, Sophos Firewall has been able to do port-agnostic SSL/TLS decryption and web filtering. This extends our inspection for web threats beyond ports 80 and 443. We've used this ability to release IPS signatures that can detect some HTTP attacks in decrypted traffic on any port.

In version 19, we've introduced a feature that will apply a broader range of web-related IPS signatures to decrypted TLS traffic, regardless of the port. Overall this provides a significant enhancement in our ability to protect against attacks that may try to circumvent regular IPS protection.

The feature is not enabled by default yet. We would really like to get some more exposure to a wider range of situations and traffic.

If you're using EAP2 and TLS decryption, it would be great if you could turn this feature on. Here's how to do it:

  • Connect to the device console using SSH, or using the 'Console' option in the drop-down menu in the top-right of the Control Center
  • Enter the admin password, then Select option 4 - Device Console from the Main Menu:
  • Enter the following command at the console> prompt:

console> set ips scan_decrypted_port_agnostic on

  • There will be a small delay while the configuration is changed and the IPS engine reloads

Enabling this feature may lead to an increase in the number of IPS signature events on your Firewall. Each firewall sends telemetry to SophosLabs when IPS signatures fire, enabling us to respond to potential false positives very quickly and update signature sets.

You can disable this feature again if necessary with the following command:

console> set ips scan_decrypted_port_agnostic off

Thanks for your help! Please feel free to tell us about your experiences in responses to this post.



Added tags
[edited by: RichBaldry at 6:10 PM (GMT -8) on 2 Feb 2022]
Parents
  • Maybe a false positive:

    Running a Twitch Stream and try to show it in Stream-Manager blocks the preview in Chrome v98.0.4758.82

    2022-02-09 14:37:56IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="5" fw_rule_id="12" fw_rule_name="LAN to WAN" fw_rule_section="Local rule" user="majo-ryzen" sig_id="18484" message="FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt" classification="Attempted User Privilege Gain" rule_priority="2" src_ip="23.160.0.254" src_country="USA" dst_ip="192.168.2.84" dst_country="R1" protocol="TCP" src_port="443" dst_port="55595" OS="Mac,Windows" category="file-multimedia" victim="Client

Reply
  • Maybe a false positive:

    Running a Twitch Stream and try to show it in Stream-Manager blocks the preview in Chrome v98.0.4758.82

    2022-02-09 14:37:56IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="5" fw_rule_id="12" fw_rule_name="LAN to WAN" fw_rule_section="Local rule" user="majo-ryzen" sig_id="18484" message="FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt" classification="Attempted User Privilege Gain" rule_priority="2" src_ip="23.160.0.254" src_country="USA" dst_ip="192.168.2.84" dst_country="R1" protocol="TCP" src_port="443" dst_port="55595" OS="Mac,Windows" category="file-multimedia" victim="Client

Children