I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.Firmware is 17.1.3 MR3
solution in the KB article ;)
Certified Architect - XG | UTM | MOBILE
To be clear, this is a temporary workaround, not a solution.
I am getting a million a day on every customer at 17.5.3 MR3 and the command in 133096 not present in console.
Sophos Certified Trainer & Architect
Presales & Project Manager of DMZ Bilisim LTD STI
Hi Eren Ertas
Apologies for this inconvenience.
Note that you can still input the command without having to tab auto-complete it: "set ips tcp_option detect_anomalies disable"
Please PM me if you continue to experience issues regarding these alerts.
Let me check and watch a while
It seems it's not resolved
Hey Eren Ertas
Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID? I'd like to take a closer look at your reports.
I have same issue on V17.5.3 MR-3.
Have you tried to troubleshoot by disabling this setting?
Full context here.
Thanks, it works after input the command.
Sophos didn't fix the bug on V17.5.3 MR-3...
I'm getting thousands upon thousands of these errors in my Sophos XG135 rev.3, it's showing nearly 50k just yesterday for an office of 7 people. I'm running 17.5.3 MR3. I can run the command on my console to disable the anomaly detection. But by doing so, am I disabling the ability to detect or use any IPS functionality?
Hey Brad Hall
Copy and paste from here:
This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.
These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.
Sorry for the late response.
Did the Console Command: set ips tcp_option detect_anomalies disable
Response: Already Configured
Since I was in the device. Updated firmware, Current Firmware: (SFOS 17.5.3 MR-3)
I will monitor the errors and report back (sooner this time).
FloSupport I ran the command listed. Viewed my Firewall this morning and I now have 0 "attacks/errors" showing. It appears this took care of the issue over the weekend. I'll monitor and report back if I see any further items regarding this issue.