Keep on getting this notification email every 5 minutes from XGS2100 firewall. Affects only one user's computer. FILE-OFFICE Microsoft MSHTML ActiveX control bypass attempt. It started this morning. Please assist. These four IP's external are listed so…

Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Table of Contents Overview Log Viewer Firewall (Invalid…

Hello, i am reciving many Notifications like Message: BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt Mostly i look up it has something to do with some kind of advertisement api from google or other cloud services…

Hello, in our company we got about 60-80 users. Each department got his own vlan running over one port. XGS2100 (SFOS 19.0.1 MR-1-Build365) Over the year i was setting up the sopho xg and adding all Firewall rules, like all department are in one…

Hi folks, I started investigating why the XG115W was showing high CPU load, normally around 5%, but now showing over 20% for extended peraiod. I checked the ATP, Avira, Sophos AV and Sophos anti spam, All but Anti spam last updated early yesterday…

Hi guys, How to write custom IPS signatures for blocking applications? I have found a few VPNs which are not on the application control list and I would like to block them. Regards

So, while setting up IPS on the system, I want to *block* the usual badness including scanners, etc. However, I have regular vulnerability scanning done by US DHS/CISA as part of their Cyber Hygeine program, and they scan regularly. As such, using scanner…

There is a critical 0-Day exploit for Exchange already being exploited, which is pretty much the same as the "ProxyShell" vulnerability in March. How can I check if the mitigation is already working with Snort or IPS rules? https://gteltsc.vn/blog…

So I have IPS protection turned on as shown below: I know that the pattern is updating as shown below: So I have 2 questions. 1. Shouldn't the 'Time of signature update' change dates when IPS and Application signatures are updated? Mine doesn…

Hi, Not sure if this is a cosmetic issue, or something that needs further investigation - the IPS signatures are being reported in one part of the GUI as being old, but yet updated in another screen. Here it's showing Aug 26th But in this…

We have noticed that connections are sometimes interrupted for a period of 5 minutes. It is then not possible to establish new connections (external / internal) via Sophos. This happens 1-2 times per day and always at a different time. I went through…

Hi folks, over the last week or so I have noticed previously fixed issues with applications being incorrectly classified returning in my daily reports. Manual proxy surfing and thunder VPN. Why are these previously resolved issues appearing, does…

i turned off ips but as the screenshot shows there are 3 snort services that each one uses 10% of memory so even inmy network there is just 30 users , the memory usage is higher than 70% what should we do to lower the usage of snort services?

Hi folks, v19.0.1 MR-1 IPS service has stopped and will not restart, the error message is the process is taking too long. There are no entries in the Logviewer -> system log indicating any issues. Next step please. Update :- after two attempts…

The following article fixed the issue. - EXCELENT https://community.sophos.com/sophos-xg-firewall/f/discussions/129676/sophos-firewall---extremely-poor-bandwidth-when-dos-enabled/483292?focus=true Unfortunately a Sophos engineer helping us was unaware…

Is there a setting I'm missing? Every one of our several hundred firewalls always shows empty IPS logs ("No record found"), even when the firewall shows that it has been dropping packets due to flood protection. See the screenshots below.

Over the last month I have occasionally been getting a flood of IPS warnings Alert ID 7002 " Message: OS-LINUX Linux Kernel Netfilter iptables-restore Stack-based Buffer Overflow" No mention of the source, and nothing in the IPS tab of the log viewer…

How does one enable logging (so one can see it in the Log Viewer in the management web interface) of IPS events. Every time I have a IPS problem, I get email notifications but the IPS Log Viewer tab is empty - how can i get it to populate? Regards…

Hi, I'm struggling to understand an issue I'm facing. It seems like my NAS is losing few functionalities once I activate IPS (lantowan_general) in my LAN to WAN rule. I see some IP being blocked, unable to perform cloud sync, etc.. but it's not clear…

Dear Currently my firewall has a attack DoS. How to stop this attack and eliminate the source IP address of this attack. I have an XG230 in version 19 (and I can also come back in 18.5.3) Thanks a lot

I've got a ticket open for this, but have no idea how much effort is being put into it. Any extra help gratefully received or our office is going to be offline for most of the weekend. Our XG135 suddenly stopped passing almost all traffic the other…

How do I enable IPS for the data coming in as a response to client request? If I add iPS to the outbound Traffic to WAN rule will it also apply to the inbound results? I can't see where I can add it to the Traffic to WAN NAT rule.

I am getting alerts like this per mail: Alert for SFVH (SFOS 18.5.3 MR-3-Build408) Cxxxxxxxxxxxxxxxxx Device Information: Hostname: gate Management Interface IP: 10.0.0.254 Date/Time: 2022-04-10 16…

I have been receiving 2 IPS alerts regularly. The XG appears to drop the packet, but I am trying to understand the alert and make sure that I don't start disregarding alerts that need attention. The one happens several times a day. SCAN Zgrab Scanning…

Having received a warning from Sophos regarding For CVE-2022-22963 we were advised to check that the IPS rule 2306989 is added to our policy. Some of our rules use custom IPS policies, whereas others use the default ones, i.e. "LAN TO WAN" etc. …