I recently came across an internal port scanner that was scanning ports on our Sophos XG firewall. Somehow this scanner got on a server. I was able to find this when I got an alert that there was a failed SSH authentication. There was not an actual authentication…

Hello there, I need help with something. When I send/receive mail in Outlook, an error message returns, and then on my firewall device, the mail server IP that I receive external service from appears as Intrusion attacks. What is the problem and how can…

In the Firewall and SSL/TLS Inspection logs I can see positive and negative results.But I see nothing at all in the ATP, IPS, App Filter, Malware, and Zero-Day logs. Would they only show negative events -- i.e. malware in a download -- or should this…

Hello everyone, I have a firewall running SFOS 18.0.5 MR-5-Build586. I am receiving email alerts when IPS detects something. Problem is, I am missing some info there. At least the source attack ip and the action that was taken. I have looked through…

Assume, that I got the following email: This almost says nothing. The hostname above is the host name of the XG, not the source or the destination of the attack. Information, that I really must have: - Source IP of attacker - Destination IP - Some…

Hi Folks, today the XG has decided that some of the DHCP requests are DDOS attacks and my security cameras are generating DDOS attacks. The cameras connect then immediately drop out. These cameras have been working for months. I end up with a IPS…

Hi folks, I rebuilt my XG on the 22nd of April and most firmware that I expect to update has except IPS and Application. Please advise when IPS and Application will be updated? Ian

Hi, Suddenly I am not able to access Internet because of below on my sophos xg FW. The source IP is sophos Interface to ISP. This suddenly happened a few hours ago. What do I need to do?

Hi everyone, unfortunately I was not able to find a proper answer to this anywhere. I want to create custom IPS signatures specifically for known bad hosts, so I will receive a mail alert via the notification system. My current settings for one such…

Hi How come the default action for the IPS is to allow CVE-2021-26855 when detected? Both signature IDs 2305106 and 2305107 are set to allow packet.

Default IPS rule has defined: PROTOCOL-VOIP inbound 100 Trying message 20404 protocol-voip 1 - Critical Windows, Linux, Unix... Server Drop packet Thus the following is received: 2021-03-09 14:33:02IPSmessageid="07002" log_type="IDP" log_component…

Hi there We're seeing some IPS alerts with SID number 1170419080 - "SERVER-ORACLE Oracle MySQL sql_authentication Integer Overflow". How can i find more information about this? On Sophos UTM i can look up the Snort ID and the alert email usually contains…

Hello Community ! Do we have an IDS signatures for Port scanners like NMAPS ? we know that those programs can use different flags(RST, ACK, SYN, FIN...) while its scanning some services etc. Also can someone explain me whats means source and destination…

Hello everybody I have a question? I would like to know whether IPS policy is logical between two trustworthy networks (VPN client and internal LAN)? Or do I not need to use IPS policy in this case? Tanks

Hi Team, I am getting more than 80 mails on daily basis. Can some one tell me how I can resolve this issue. Device XG230 Alert ID: 7002 Message: OS-WINDOWS Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure

We have an XG 550 rev. 2 configured with 2 different internet connections and a 10 gig fiber card for the LAN port. We have been experiencing DDOS attacks which we have an external service mitigating. What we have found is that at certain times during…

Hi folks, I have been streaming Amazon Prime Video for a while and still encountering issues with IPS. Any device streaming video from Amazon is put under a firewall rule having IPS enabled. Sometimes I am getting a lot of warnings of the IPS module…

Dear Sophos team and users, we're actually trying to add multiple content values to a custom IPS signatures rule, like it's indicated in manual, but when we are saving, a warning pops up to say that the rule isn't valid. example: content:"manager…

Hello, we have set this up for a remote location: So the same VLAN ID on both sides: behind XG and behind RED, same IP Subnet. Bridge Members, same Zone: This is already in production and working. the RED60 Users can work on internal ressources…

Hi all, I'm testing XG firewall as home user now in a side role (proxy) before putting it in as router. I have now v18.0.3. I could not find answers to question below. If IPS (Application Control) is configured in FW policy, does it work for: …

Hi, about Sophos IPS and recently hyped CVE Ping of death / bad neighbour: Snort has detections for the attack on CVE-2020-16898 / CVE-2020-16899 Those are: https://www.snort.org/rule_docs/1-55984 https://www.snort.org/rule_docs/1-55993 There…

Not sure where else to post this but I got an IPS alert yesterday that is coming from my Xbox One X. Not exactly sure what caused it. I turned on my Xbox One X for the first time in a few months, downloaded some system updates as well as some game updates…

CVE-2020-1472 Zerologon is about to go into the wild. Is XG able to detect those logon attacks with IPS?

Ive been using XG and UTM for a while now and have used RED a few times, but ive got a dedicated server now in the cloud and i installed XG on it for my edge firewall. I setup a red tunnel from my xg to that xg but i had a windows 2019 vm running on the…