Reset outside window - false alarm?

Question

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source. Firmware is 17.1.3 MR3

FloSupport · Accepted Answer

Hi Ryan Collis 
 [Update] This KBA has been published for this issue. 
 Regards,

Jaydeep · Answer

Hello Everyone, 
 We have an update. TCP anomalies detection will be disabled by default starting from v17.5 MR-8. Please check the updated article: Sophos XG Firewall: ​IPS causing drops to legitimate traffic and filling the IPS log

Pascal G · Answer

Hello, After I have solved some of the IPS errors with the update 17.1.3 for me once I have with some appliances in the LOG still the message "Reset ouside Window". 
 After a few tests of the configuration and comparison of the rules I noticed the point in the CLI. 
 
 On the left side I do not receive the message in the IPS log. In the right today already 7k. 
 the difference would be "Detect_Anomalies" and "TCP_Block" 
 Is this just an information or a value that you can edit? And if so how? Would like to test it with a smaller appliance on which I also get this error. 
 And just for information: The 2 appliances are completely the same configuration, both are each behind a SG with also identical configuration. 
 Would be great if someone has an idea about it. Then I could test this. 
 Thanks and best regards

LuCar Toni · Answer

You took the wrong path. Do not use update and ips_conf. Instead use ips. 
 console> set ips tcp_option detect_anomalies disable

Pascal G · Answer

Ahhh thanks :) It had tried so because it was not displayed to me with tab as an option. 
 But that actually seems to cause it. After the change no "Reset outside window" messages in the IPS log. 
 Now set up your own IPS rules for existing firewall rules and then that's ok. 
 Thank you and best regards

FloSupport · Answer

To update our community, 
 This is being investigated under the issue ID: NC-39687 
 We will publishing more information shortly, please stay tuned. 
 Regards,

Pascal G · Answer

solution in the KB article ;) 
 community.sophos.com/.../133096

Paul Digby · Answer

SFOS v17.1.4 MR4 released and can retrieve from MySophos https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-1-4-mr4-released

Dalibor Vinkić · Answer

I have two XG applainces, one 310 and 105w. On the XG310 17.5.0 GA and on XG105w 17.5.3 MR-3. On both devices I have "Data sent on stream after TCP Reset received" Then on 105w I have done " set ips tcp_option detect_anomalies disable " and there is no more that kind of network intrusions in the last two hours. I will be watching and when it is ok I will try to implement this on bigger XG.