I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.Firmware is 17.1.3 MR3
can you share some screenshots of this alerts?
Exact same issue here. Updated to 17.1.3 MR-3 early today and have over 5000 of these in the IPS log. Cannot seem to track down the signature in the IPS policy.
This is new to me. But as far as i can see, this seems to be the same type like invalid traffic on XG.
Try to increase the Timeout value and keep an eye on those alerts.
Open up an Support Case to get an "official" answer to it.
Thanks for the reply. ill give the timeout change a try. I am getting more of these showing now. All are TCP related. The connections appear to be to CDNs
I saw that KB article yesterday, but since I never used a version pre 17.x the notifications are enabled for all devices at our customers. The screenshots above are from a customer with 4 employees, we are talking about a network with 26 devices.
Gruß / Regards,
KevinSophos CE/CA (XG+UTM), Gold Partner
The KBA is pointing about the fact of invalid traffic after V17.0 - not pre V17.0
Checked all my appliances, none of these are showing those alerts. But i use a timeout value of 24 hours.
Just wanted to point out that I don't know that issue on my other XG appliances. Since I had another problem with that device I wanted to do a firmware downgrade, which resulted in losing most of it's configuration. I configured the same rules and IPS configuration on 17.0.9 and until now (2 days) everything is OK, not a single "Reset outside window"...
We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3
Any chance you can post the rule responsible for this? I can't seem to find it.
Hi Ryan Collis
[Update] This KBA has been published for this issue.