We are in the final stages of preparing an update to the IPS engine used by SG UTM. We are upgrading to version 2.9.17 of Snort and are offering early access to the new release for customers who would like to try it out immediately.
Updates to the Snort IPS Engine are delivered as part of your up2date pattern packages. This ensures that you get updates to IPS detection even if you are still running an older UTM firmware image. It means that we can continue to efficiently deliver a single set of signatures to all our customers.
We always perform extensive internal tests on new versions of the Snort engine before we roll them out. This version is no exception to that.
However, since version 2.9.17 of Snort introduces changes in more sensitive areas than with previous updates, we have decided to stage the rollout of the new engine. It will still be delivered via up2date, but it will be delivered alongside the old engine for a time. UTMs will be automatically switched over to the new engine in stages over the coming weeks, so that we can quickly respond to any unforeseen issues.
September 16, 2021: New engine included in up2date pattern packages, available for testing but not enabled by default
September 21, 2021: New engine enabled selectively for some UTMs
September 28 onward: Gradual increase in the number of UTMs using the new engine
We aim to complete the rollout for all devices in early October.
Customers running version 9.707 of the UTM firmware can choose to switch to the new engine immediately. If you would like to do this, please contact Sophos support.
Hi, will it be possible to see if the new engine is activated in the GUI (or logs)?
You should be able to see this in the IPS log.
To do this from WebAdmin, go to Logging & Reporting > View Log Files and select the Search Log Files tab.
Under "Select log file to search", choose "Intrusion Prevention System"
In search term, enter "Version"
Select a time frame that would include the last likely time that the IPS system updated or restarted - if you don't get a match with the default time period, try extending it back.
In the search results, find the most recent line that looks like this:
Im seeing this as of yesterday:
Firmware Up2Date installation failed: IPS pattern installation was not successful but will keep trying to install. During this time IPS might not be active. Please inspect the UTM if you keep getting this message!
Please check the up2date log file for detailed information.
I'm assuming this is the new update and it's failing? My version is still old.
Is it possible for you to provide me with the contents of the up2date.log? This can be found within the following directory. - /var/log/up2date.log
I will reach out to you via DM to provide options for you to upload the logs.
Have sent you the logs as requested.