I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.Firmware is 17.1.3 MR3
We have an update. TCP anomalies detection will be disabled by default starting from v17.5 MR-8. Please check the updated article: Sophos XG Firewall: IPS causing drops to legitimate traffic and filling the IPS log
does disabling TCP anomalies detection also lower the detection rate of the IPS system?
Yesterday I installed XG310 (SFOS 17.5.3 MR-3) at client site.
It is in bridge mode after MKtik router doing NAT+Routing+VPN+basic FW.
Still there are a TON of false IPS positives. TCP related, IMAP related, Print spooler related(just some broadcasts), DNS related(replies from 22.214.171.124).
So this is redicilous.
Disabling is just temp solution? Even in upgrade does it stop/lower efficiency of IPS?
Have a nice day! Greetings!
does anybody know if this is lowering the detectionrate of the IPS?
I just want to ask again, if somebody knows if disabling "Anomaly Detection" lowers the detection/protection rate of the IPS system.
Is this issue solved in v18 EAP, so that Anomaly Detection is working again?
Hi Kaloian Kirchev
This issue is resolved in SFOS v17.5.8 MR-8. By default the setting will be enabled, as it was causing too many false positive detections.
Thanks for the reply. BUT could you please answer the questions above.
Is disabling IPS anomalies LOWERs the protection and effectiveness?
Have a nice day!
Yes, disabling any IPS setting/signature affects protection somewhat.
This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.
Copy and paste of the information I provided previously: