This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3



This thread was automatically locked due to age.
Parents Reply
  • Hey  

    Copy and paste from here:

    This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.

    These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.

    Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
Children
  • Sorry for the late response.

    Did the Console Command: set ips tcp_option detect_anomalies disable

    Response: Already Configured

    Since I was in the device. Updated firmware, Current Firmware: (SFOS 17.5.3 MR-3) 

    I will monitor the errors and report back (sooner this time).

     

  •  I ran the command listed. Viewed my Firewall this morning and I now have 0 "attacks/errors" showing. It appears this took care of the issue over the weekend. I'll monitor and report back if I see any further items regarding this issue.