This topic has been covered before a few times but I was hoping to get some help wrapping my head around what I'm seeing. I tested 5 VPN configurations both with and without IPS turned on. As previously documented IPS kills basic throughput (without…

Hello Community, We have a UTM SG430 and 1GBit/s internet connection. Now I have noticed that IPS a. prevents the line from being fully utilized. b. Long response times (100ms-500ms) and even packet loss occur when the WAN interface is heavily utilized…

Hi everyone, this is not a technical issue but a desparate call for advise. Our Sophos UTM-firewall (firmware version: 9.816-2) is suffering from a (D)DOS-attack that is going on for several days now. Since our internet-connection only comprises of…

Our old Sophos UTM is definitely a bit on the "too small" side by now, but still, we're trying to get things running for at least an extra year or so. Right now we occasionally have issues with the UTM CPU usage going up to 100%, to the point where the…

I need to allow DNS lookups for a particular .tk domain. I read this old thread but " Add an Exception for wiki.tcl.tk in 'Advanced Protection >> Advanced Threat Protection " doesn't work. The DNS lookup traffic is still blocked. I'm in the same situation…

Hello, Following a reboot of our servers, we are no longer able to access several internal and external services (VPN, telephony, User portal) I am neither a network expert nor an advanced user of Sophos solutions, but I will gladly provide you with…

Hello all, May be a silly question, however, in the IPS service: Do we need to include the RED networks for remote offices as well? Similarly, do they (RED networks) need to be listed in the Firewall rule for Teams and the like: Finally, besides…

Hi, yesterday (sunday) at 3 am SNORT stopped to work with the result that internal nets couldn't reach Internet anymore. In the logs I found FATAL ERROR: Failed to load /usr/lib/snort/so_rules//file-java.so: /usr/lib/snort/so_rules//file-java.so:…

Hi all! We are using SSL VPN and facing severe performance issues all the time. When using RDP, the desktop sometimes freezes and copying files to and from the remote desktop takes very long (about 1MB/s, the connections are capable of 10MB/s (home…

First alert we had from rule SID 20842 was on 23 Nov at 17:39 GMT. Since then have had 230 alerts to around 50 different Windows 10 hosts, all this rule, 29 different IP source addresses, all source port 80, various destination ports. Looking up the…

Hi everyone, we are having issues with the customers skype for business (still on prem) because of IPS. After a while the voice stops and our users at the office (it is working from home or data plan) cannot voip anymore. The IPS log shows the IP…

Ok, so how specifically do I ' set the corresponding intrusion protection rule to "drop" in WebAdmin ' per the alert email below I received? There is no 'rule' identified in the alert. Am I supposed to infer that 58442 in the snort link is the rule…

I can see IPS log entries when I manually inspect the IPS log files but the IPS portion of the daily executive report has been blank for months. I used to see IPS entries in almost every daily report. Also, zero is reported for all IPS statistics on…

Hi Community. I did a hardware refresh of a SG125. Created a backup on my "old" appliance, started the new one, updated to the latest version and imported the backup. After some time the connection to the internet got lost (could not resolve DNS…

Just deployed a few UTM units at the customer site. They are all setup identically. One of the unit is having trouble enabling IPS. when IPS is disabled, everything works fine. However, as soon as I enable the IPS, the internal networks lose internet…

In the last 2 days we received several ATP Mail alerts from the UTM. The hostname / IP shown in the mail is not listed in the ATP Log but i can see the IP of the host on the ATP Dashboard (Advanced Protection Statistics) in webadmin. There is no exception…

Hi, I'm seeing this logs on our SG 430 9.705-3 2021:02:02-09:57:08 firewall-2 ulogd[12675]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected"...... 2021:02:02-09:58:05 firewall-2 snort[3052]: WARNING: SMTP memcap exceeded…

Since the installation of u2d-aptp-9.36793 on 2020:09:09 our ATP module is showing almost daily attacks but from external IPs only. ATP should only show internal IPs. The destination IP in all cases was a DNS Server of ours in the DMZ. 2020:09:09…

Hi, I am trying to run speedtests via speedtest_cli on one of my boxes to regularly check the actually available speed my ISP provides. Now the download speed is limited by my Sophos UTM box (9.510-4) by snort going to 100%. If I turn off IPS I…

Every once in a while I get a hit in Advanced Threat Protection for C2/Zbot-A. Those are single hits, with pretty benign destinations (usually targetting one of the DNS servers used by our infrastructure). The first time it happened I scanned the specific…

So, I inherited the current UTM 9 config and have been working on updating the definitions (some were out of date, some were no longer needed, etc). I found a large group called "Google Server Group" with the following entries: accounts.google.com apps…

Hello together! When i want to Download Apps from the Windows 10 Store, only a few MB are downloaded and then the download stops .. In the IPS Log i always found "MALWARE-OTHER Executable control panel file download request" (SID=33942) this Event…

We recently discovered that our UTM was blocking packets that we needed for VoIP. RTP packets were being discarded because IPS detected a UDP Flood Attack. The issue was difficult to find because the UTM was only discarding a relativly small number…

Hi guys, I keep getting the following alert and just wondered if it was anything to worry about / look further into: Intrusion Prevention Alert An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule…

Hi there, I've spent a little time testing the IPS offloading or load balancing behaviors while in a High Availability Cluster setup (Active/Active). I've setup two VM's on a ESXi 6.5 physical host. VMs have all the same networks, nics, ram, disks and…