This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3

This thread was automatically locked due to age.

0 LuCar Toni over 2 years ago

Hi,

can you share some screenshots of this alerts?

__________________________________________________________________________________________________________________
Cancel
Up 0 Down

Cancel
0 Ryan Collis over 2 years ago

Exact same issue here. Updated to 17.1.3 MR-3 early today and have over 5000 of these in the IPS log. Cannot seem to track down the signature in the IPS policy.
Cancel
Up 0 Down

Cancel
0 LuCar Toni over 2 years ago in reply to Ryan Collis

This is new to me. But as far as i can see, this seems to be the same type like invalid traffic on XG.

https://community.sophos.com/kb/en-us/131754

Try to increase the Timeout value and keep an eye on those alerts.

Open up an Support Case to get an "official" answer to it.

__________________________________________________________________________________________________________________
Cancel
Up 0 Down

Cancel
0 Ryan Collis over 2 years ago in reply to LuCar Toni

Thanks for the reply. ill give the timeout change a try. I am getting more of these showing now. All are TCP related. The connections appear to be to CDNs
Cancel
Up 0 Down

Cancel
0 kerobra over 2 years ago in reply to LuCar Toni

I saw that KB article yesterday, but since I never used a version pre 17.x the notifications are enabled for all devices at our customers. The screenshots above are from a customer with 4 employees, we are talking about a network with 26 devices.

Gruß / Regards,

Kevin
Sophos CE/CA (XG+UTM), Gold Partner
Cancel
Up 0 Down

Cancel
0 LuCar Toni over 2 years ago in reply to kerobra

The KBA is pointing about the fact of invalid traffic after V17.0 - not pre V17.0

Checked all my appliances, none of these are showing those alerts. But i use a timeout value of 24 hours.

__________________________________________________________________________________________________________________
Cancel
Up 0 Down

Cancel
+1 kerobra over 2 years ago in reply to LuCar Toni

Just wanted to point out that I don't know that issue on my other XG appliances. Since I had another problem with that device I wanted to do a firmware downgrade, which resulted in losing most of it's configuration. I configured the same rules and IPS configuration on 17.0.9 and until now (2 days) everything is OK, not a single "Reset outside window"...

Gruß / Regards,

Kevin
Sophos CE/CA (XG+UTM), Gold Partner
Cancel
Up 0 Down

Cancel
0 ken9000 over 2 years ago

We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3
Cancel
Up 0 Down

Cancel
0 Ryan Collis over 2 years ago in reply to ken9000

Any chance you can post the rule responsible for this? I can't seem to find it.
Cancel
Up 0 Down

Cancel
+1 FloSupport over 2 years ago in reply to Ryan Collis

Hi Ryan Collis

[Update] This KBA has been published for this issue.

Regards,

Florentino
Community Manager, Support & Services
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.
Cancel
Up 0 Down

Cancel