I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3
This thread was automatically locked due to age.
I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3
Let me check and watch a while
Regards
Eren ERTAS
Sophos Certified Trainer & Architect
Presales & Project Manager of DMZ Bilisim LTD STI
Eren ERTAS
Sophos Certified Trainer & Architect
Presales & Project Manager of DMZ Bilisim LTD STI
Hey Eren Ertas
Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID? I'd like to take a closer look at your reports.
Thanks!
Hey ShunzeLee
Have you tried to troubleshoot by disabling this setting?
I'm getting thousands upon thousands of these errors in my Sophos XG135 rev.3, it's showing nearly 50k just yesterday for an office of 7 people. I'm running 17.5.3 MR3. I can run the command on my console to disable the anomaly detection. But by doing so, am I disabling the ability to detect or use any IPS functionality?
Hey Brad Hall
This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.
These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.
Regards,
Sorry for the late response.
Did the Console Command: set ips tcp_option detect_anomalies disable
Response: Already Configured
Since I was in the device. Updated firmware, Current Firmware: (SFOS 17.5.3 MR-3)
I will monitor the errors and report back (sooner this time).
FloSupport I ran the command listed. Viewed my Firewall this morning and I now have 0 "attacks/errors" showing. It appears this took care of the issue over the weekend. I'll monitor and report back if I see any further items regarding this issue.
FloSupport I ran the command listed. Viewed my Firewall this morning and I now have 0 "attacks/errors" showing. It appears this took care of the issue over the weekend. I'll monitor and report back if I see any further items regarding this issue.