This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Guys,

    Yesterday I installed XG310 (SFOS 17.5.3 MR-3) at client site.

    It is in bridge mode after MKtik router doing NAT+Routing+VPN+basic FW.

    Still there are a TON of false IPS positives. TCP related, IMAP related, Print spooler related(just some broadcasts), DNS related(replies from 8.8.8.8).

    So this is redicilous. 

    Disabling is just temp solution? Even in upgrade does it stop/lower efficiency of IPS?

     

    Have a nice day! Greetings!

  • Hi,

     

    does anybody know if this is lowering the detectionrate of the IPS?

    _______________________________________________

    Sophos XG User

  • I just want to ask again, if somebody knows if disabling "Anomaly Detection" lowers the detection/protection rate of the IPS system.

    Is this issue solved in v18 EAP, so that Anomaly Detection is working again?

    _______________________________________________

    Sophos XG User

  • Hi  

    This issue is resolved in SFOS v17.5.8 MR-8. By default the setting will be enabled, as it was causing too many false positive detections.


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • Hi  

    Thanks for the reply. BUT could you please answer the questions above.

    Is disabling IPS anomalies LOWERs the protection and effectiveness?

     

    Thanks!

    Have a nice day!

  • Hi  

    Yes, disabling any IPS setting/signature affects protection somewhat.

    This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.

    Copy and paste of the information I provided previously:

    • These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
    • Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.