IPS can be very difficult to troubleshoot because it operates much differently than the other filtering/blocking type applications in NG Firewall. Sometimes things can seem like they are blocking inexplicably- you have no rules to block a certain thing, there must be something wrong with the NG Firewall, right? Probably not, and one place you may be overlooking is Intrusion Prevention.
What to look for
Well there's a million things in the reports, how am I supposed to know if its causing issues? A first easy step is to simply turn off IPS. A simple bypass won't work in this case because:
IPS occurs pre-routing, meaning it's one of the very first things to happen to traffic that hits the NG Firewall. So this means IPS may drop or block traffic before we decide if it's bypassed.
- If turning off IPS resolves the issue, there's a good chance IPS is dropping part or all of the traffic needed for your request.
- We don't recommend blocking mass groups of signatures as these can cause plenty of network issues. If you are seeing issues, you may want to reconsider how you are setting up the rules.
- if you just want to disable that single rule - you'll want to check Reports > Intrusion Prevention > Blocked Events
- Then you can filter by when it happened, IP address, etc. If you don't know when - consider trying to reproduce the error live and refresh the reports:
5. Now we see the culprit rule, we can grab the SID of that signature and add a rule to disable or change to only log:
Done! That rule shouldn't be bothering you anymore. If this doesn't fix the issue, you may need to expand how you filter for your reports.Follow