This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3

This thread was automatically locked due to age.
Parents Reply
  • Hi  

    Yes, disabling any IPS setting/signature affects protection somewhat.

    This particular IPS setting detects and drops "anomalous" TCP traffic (missing TCP timestamps, etc.) This setting was causing excessive false-positives & issues for some customers, therefore the option to disable it was provided.

    Copy and paste of the information I provided previously:

    • These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
    • Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
No Data