This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3



This thread was automatically locked due to age.
Parents Reply
  • Hi  

    Yes, disabling any IPS setting/signature affects protection somewhat.

    This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.

    Copy and paste of the information I provided previously:

    • These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
    • Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Children
No Data