Is there any way to make certain policies stateless rather than stateful?
Yes we know what it means and the reasons behind both, so not looking for lectures or an opinion. Just a yes or a no.
Please advise, thank you.
as far as I know ... no.
there is no Option from GUI and design if made for stateful inspection.
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
How about via command?
We know because the errors end up in the kernel logs and other various logs throughout the years. Overall, Sophos GUI is great and user friendly, but the actual software that handles traffic is a disaster when it comes to our business. It's been the biggest pain on our network and we wish we can easily swap it out right now but can't without major downtime. I won't mention how we originally purchased 10GBPe modules only for them not to properly work. Endless back and forth with the useless Sophos support and the only solution was to downgrade to 1Gbpe.
If not for ARBOR DDOS in cloud+on premise device, this Sophos box would be down on a daily basis. As mentioned, 10MBPs can knock it offline. The datasheet/advertising is just a blatant lie. It can't handle gigabits of traffic when there are other limitations that cause downtime at 10mbps.
Right now we don't use Sophos for any protection. We have every security measure disabled that we can, other than the typical policies that are just ACL rules. And even those are causing issues as per this thread post.
Dirk, with your logic we wouldn't be up if the Sophos didn't exist. But that's not the case because we can remove Sophos and have a server connected straight to the internet. So where is the session being handled then?
I'm talking about session handling / tracking within Sophos. That is what the issue is. Not how the internet works.
Connection usage when things are working smoothly:
When things go awry this either shoots up or it just gets completely F-ed up. And it's all due to session/conn handling and tracking. I will try to find some logs for you guys to see.
Just out of interest, what size / model of SG are you using?
We've been thru it all. The 650, 625, 450, etc.
It's all the same issue.
These are old but one of MANY DOZENS of DIFFERENT types of errors found in kernel logs. Honestly, we eventually stopped trying to go after each and every one because support wasn't adequate. Example:
2015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 1 sessions from cache for memcap. 11340 scbs remain. memcap: 8387435/83886082015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 2 sessions from cache for memcap. 11338 scbs remain. memcap: 8387442/83886082015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 1 sessions from cache for memcap. 11337 scbs remain. memcap: 8387228/83886082015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 5 sessions from cache for memcap. 11333 scbs remain. memcap: 8388621/83886082015:07:20-02:29:13 asg1 snort_5069_: S5: Pruned 5 sessions from cache for memcap. 11328 scbs remain. memcap: 8389773/8388608
Most issues however were to do with 'conntrack' errors. As mentioned, a 10MBPs flood can cause many issues.
Matt, what does your Sophos reseller Partner say about this? Did they create the support case with Sophos or did you?
The log you just showed is from IPS and is not the system log. Do you have a recent example of relevant lines in the system and fallback logs?
Cheers - Bob
Maybe we should have you as our partner.
They don't have a damn clue. Once it got passed sales, it's like they have no clue whatsoever.
Unf, there's been a few issues over last few months but I didn't save the logs. Next time it comes up I'll post it here. We bought the Arbor device to place in front of Sophos to protect us which does bulk of the job. However, if we remove that I know we'd have issues almost on a daily basis. I can't disable them since it's on the production environment.
Now it's just that once in a blue moon time where the Sophos becomes the bottle neck. Got a direct contact? If you do partner support / consulting we'll be glad to pay.
I created the support case but all the support tickets are not accessible for some reason. Thus I cannot get the info from them.
Thanks for the invitation, Matt - you have a PM.