Hello Community, We have a UTM SG430 and 1GBit/s internet connection. Now I have noticed that IPS a. prevents the line from being fully utilized. b. Long response times (100ms-500ms) and even packet loss occur when the WAN interface is heavily utilized…

IP is trying to make connection to malicious domain .But issue is that that ip by which connection is going is my wan link Interface. It mean all internal machine are getting access to internet by this and lot of my machine in my network not updated…

Hello all, May be a silly question, however, in the IPS service: Do we need to include the RED networks for remote offices as well? Similarly, do they (RED networks) need to be listed in the Firewall rule for Teams and the like: Finally, besides…

Just installed Sopos UTM 9.707-5 in esxi vmware. When starting Intrusion Prevention I see in the console: /usr/bin/chroot: failed to run command '/sbin/snort' no such file or directory I have ssh'd in to the utm and checked, snort can't be found…

Keep receiving Sophos Critical Notification Alerts emails for Intrusion Prevention Alerts We use OpenDNS DNS Host Servers as our primary dns and secondary dns. All these alerts are all outbound traffic from desktop computers to OpenDNS DNS Host Servers…

Hi, Suddenly I am not able to access Internet because of below on my sophos xg FW. The source IP is sophos Interface to ISP. This suddenly happened a few hours ago. What do I need to do?

Good night, I think someone can help me, I have received alerts from my internet provider that are observing attacks on my IP and I went to check the packages on the Firewall and I have noticed that I receive too many attempts of DOS attacks and Firewall…

Hi there We're seeing some IPS alerts with SID number 1170419080 - "SERVER-ORACLE Oracle MySQL sql_authentication Integer Overflow". How can i find more information about this? On Sophos UTM i can look up the Snort ID and the alert email usually contains…

Hello commuity. I'm trying to set up the DoS Protection, but, I'm not sure about the values to set. With a 100MB/s of internet speed how could be the numbers? I tried to set these number, but, it still dropping a lot of good traffic: Packet rate per…

Hi all. I have a custom built router using a Gigabyte J1900N-D3V board. To cut it short, inter-VLAN traffic is limited to about 200mbit, but the CPU utilization only ever hits ~30%. Of course standard snort does not take advantage of the multiple cores…

Hi, about Sophos IPS and recently hyped CVE Ping of death / bad neighbour: Snort has detections for the attack on CVE-2020-16898 / CVE-2020-16899 Those are: https://www.snort.org/rule_docs/1-55984 https://www.snort.org/rule_docs/1-55993 There…

Hello, I appear to be having some trouble with the Intrusion Prevention on my UTM. When I have Intrusion Prevention enabled, my network speeds are reduced dramatically. For example, my WAN connection; with and without Intrusion Prevention enabled: Enabled…

NOTE: This looks to be the same issue as https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/100393/invalid-tcp-rst/372613 but in that thread people are saying this error message is normal. It is NOT and although the log entry might…

Dear All, I have configured DOS policy and I can see the packet dropped by the DDOS but where I can see the logs? I tried to find out in IPS, System, Firewall logs but no luck. Please help

Hello, I recently configured a Sophos XG home device for use and it has been working great, except for one issue (so far): Siri doesn't seem to work correctly with our at home setup. We have a Lutron Caseta smart lighting system throughout the home…

I need to see if sophos (XG or SG) gather some requirements but I can't find information about IDS, can someone tell me if sophos (XG or SG) have IDS

Dear All, There is an action in the IPS policy " Bypass Session" and as per documents " Bypass Session - Allows the entire session if detects any traffic that matches the signature." and recommendation for the same is: "To save resources and avoid…

I have noticed that my Tivo is being flagged by the IPS with "Apache HTTP Server mod_rpaf x-forwarded-for Denial of Service." There were 27 instances yesterday, with 3 noted IP address targets. Is this a false positive or something that I should be concerned…

Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into: Intrusion Prevention Alert An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule…

Hi there, Just been nmap'in the WAN port of an XG, with pretty much the default configuration and no DNAT/SNAT or any services in the protected zone opened at all. The scan reveals the port 8094/tcp and further reveals that the service SSL certificate…

Hi, since I am using XG, I'am getting always IPS alerts, and I am concerned about, because I don't know the reason of these alerts. Are IPS alerts a alert about accessing websites with vulnerabilities or outdated software, or means an IPS alert…

Dear All, Please anyone can explain the IPS actions like drop, reset,disable, etc. and can we block the detected black list ip's for 30 minutes and where can i find the IPS black list ip's.

Good morning everybody! I have many IPS alerts, is that normal? And not all of the victims IP's are in my network! I use LAN_TO_WAN standart IPS policy!

I have IPS working and scanning HTTP and HTTPS traffic. Using the EICAR test files ( http://www.eicar.org/85-0-Download.html ) I get a blocked warning from the XG firewall on Chrome for all 8 variants of the malware test file. On the Edge browser I get…

Hi, We have had our new XG310 in for about a week now, it has mostly been going ok. Just today though, outgoing attachments from Outlook all of a sudden stopped sending. (Stayed in Outbox) I found that all of sudden, IPS was blocking traffic to…