This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: After Update to 9.719 IPS not working and Snort not running

SZSZ 8 months ago

After update to version 9.719 IPS not working properly anymore. Every 10 minutes snort not running - restarted messages.

This thread was automatically locked due to age.

Top Replies

emmosophos 8 months ago +5 verified

Hello Community, If you are being affected by this, please run the following command from root # cc set ips snortsettings disable_normalization 1 And confirm the setting has changed to 1 by running…

Parents

0 Vivek Jagad 8 months ago

Hey SZSZ ,

Thank you for reaching out to the community, during that can you check with atop if other services are too getting impacted ?
REF - A guide to recording UTM process usage using atop.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 SZSZ 8 months ago in reply to Vivek Jagad

I can't see any abnormalities. Approx 30 minutes after reactivating IPS, the UTM "goes crazy" since the update.
Cancel
Vote Up 0 Vote Down

Cancel
0 SZSZ 8 months ago in reply to Vivek Jagad

I know all that. But that doesn't solve the problem after your last update. What have you changed so that it no longer works since yesterday's update?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to SZSZ

Have we tried a normal reboot or postgres check ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 SZSZ 8 months ago in reply to Vivek Jagad

Normal reboot several times. I do not know PostgreSQL-Check. I have always done a rebuild in the past. But maybe we shouldn't do that. What do you mean by PostgresSQL check?
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to SZSZ

just check the status: ps aux | grep postgres

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 SZSZ 8 months ago in reply to Vivek Jagad
utm:/root postgres 2437 0.0 0.1 1112976 11588 ? postgres 4117 0.0 0.5 1109492 47092 ? postgres 4119 0.0 2.2 1110132 186208 ? postgres 4120 0.0 0.0 1110008 7488 ? postgres 4121 0.0 0.2 1110008 17244 ? postgres 4122 0.0 0.0 1110756 2188 ? postgres 4123 0.0 0.0 10292 760 ? postgres 4124 0.0 0.0 10564 1076 ? postgres 5315 0.0 0.0 1112736 6336 ? postgres 5800 0.0 0.0 1112512 5696 ? postgres 5844 0.0 0.4 1112836 33872 ? postgres 7339 0.0 0.0 1112596 5760 ? postgres 7341 0.0 0.0 1112620 5624 ? root 8578 0.0 0.0 5944 756 pts/0 postgres 18363 0.0 0.2 1113964 20856 ? postgres 24931 0.0 0.0 1112616 5656 ? postgres 27580 0.1 1.6 1113164 134872 ? postgres 30213 0.0 0.0 1112508 4284 ? postgres 30216 0.0 0.0 1112508 4284 ? postgres 30217 0.0 0.0 1112784 5904 ? postgres 30218 0.0 0.0 1112508 3708 ? postgres 30271 0.0 0.0 1112628 4908 ? postgres 30332 0.0 0.0 1112628 4912 ? postgres 31235 0.0 0.0 1112520 4108 ? postgres 31237 0.0 0.0 1112572 4992 ?
# ps aux | grep postgres Ss 00:05 0:00 postgres: reporting reporting [local] idle S Mar05 0:02 /usr/pgsql92/bin/postgres -D /var/storage/pgsql92/data Ss Mar05 0:08 postgres: checkpointer process Ss Mar05 0:00 postgres: writer process Ss Mar05 0:11 postgres: wal writer process Ss Mar05 0:01 postgres: autovacuum launcher process Ss Mar05 0:00 postgres: archiver process last was 00000001000002A900000006 Ss Mar05 0:08 postgres: stats collector process Ss Mar05 0:01 postgres: hotspot hotspot 127.0.0.1(58637) idle Ss Mar05 0:00 postgres: smtp smtp 127.0.0.1(58657) idle Ss Mar05 0:03 postgres: smtp smtp 127.0.0.1(58659) idle Ss 15:15 0:00 postgres: smtp smtp 127.0.0.1(35231) idle Ss 15:15 0:00 postgres: smtp smtp 127.0.0.1(35233) idle S+ 15:16 0:00 grep postgres Ss 08:16 0:01 postgres: smtp smtp 127.0.0.1(48661) idle Ss 07:14 0:00 postgres: hotspot hotspot 127.0.0.1(46867) idle Ss Mar05 1:52 postgres: reporting reporting [local] idle Ss 00:00 0:00 postgres: smtp smtp [local] idle Ss 00:00 0:00 postgres: smtp smtp [local] idle Ss 00:00 0:00 postgres: reporting reporting [local] idle Ss 00:00 0:00 postgres: reporting reporting [local] idle Ss 00:00 0:00 postgres: hotspot hotspot [local] idle Ss 00:00 0:00 postgres: hotspot hotspot [local] idle Ss 00:00 0:00 postgres: sandbox sandbox [local] idle Ss 00:00 0:00 postgres: sandbox sandbox [local] idle
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to SZSZ

Looks perfectly normal...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 SimRad 8 months ago in reply to Vivek Jagad

Same here, on SG210 and SG135. Every view hours snort not running - restarted, and with that most VPN connections are cutted for a moment. OpenVPN and IPsec.

But on SG115 and SG105 no problems.
Cancel
Vote Up 0 Vote Down

Cancel
0 SZSZ 8 months ago in reply to SimRad

Vivek Jagad It seems to be a general problem. When will there be a bugfix? It can't stay like this.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad 8 months ago in reply to SZSZ

Hey SZSZ request you to please log a service request so that we can get it expedited with support.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

0 AdminFUAS 8 months ago in reply to SZSZ

Same here, with SG330 HA Cluster.

Sometimes the Snort process crashes after 2-3 minutes, sometimes it takes 10-20 minutes.
In addition, a node is shown as unlinked since the update.
All network links look good though. Reboot doesn't change either behavior.

Reply

0 AdminFUAS 8 months ago in reply to SZSZ

Same here, with SG330 HA Cluster.

Sometimes the Snort process crashes after 2-3 minutes, sometimes it takes 10-20 minutes.
In addition, a node is shown as unlinked since the update.
All network links look good though. Reboot doesn't change either behavior.

Children

No Data