Messages

1

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 13, 2016, 01:38:48 pm »

Hi Ad,

Thanks again for the clear answers.
We'll wait for the changes to become stable.

Kind regards,

Ivan

2

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 13, 2016, 01:13:52 pm »

Hi Ad,

I did the changes I mentioned before. So there is no vlan on the WAN interface. The WAN interface is just assigned to LAGG0.

I did a complete reboot of both firewalls after I disabled all IDS/IPS settings. After the reboot I completely reconfigured Intrusion Prevention.. Unfortunately the PRTG-webpage is still not working, all other websites we're hosting are working fine with IPS enabled.

A conclusion for now is that getting rid of the VLAN config on the WAN-interface is not the solution.

Is there an option to exclude for example the internal or external IP? Or when a certain NAT-rule is applied that there will be no IPS processing for that traffic? (I now this is for example possible with a Fortinet Firewall).

3

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 11, 2016, 11:51:24 am »

Hi Ad,

For now it's not necessary to provide us the patched files, we'll wait for the official release.

I'll will try the change I mentioned before and give it another try with IPS this weekend. I'll keep you posted about my findings.

Again many thanks for your assistance and quick reply's!

Kind regards,

Ivan

4

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 11, 2016, 11:28:04 am »

Hi Ad,

Thanks again for your great assistance!

I was rechecking our config and I think I have the possibility to remove vlan 2 from lagg0 (WAN). Because vlan2 is the only vlan on the WAN LAGG (lagg0). So I can change the switch ports from trunk- to access-ports and map the WAN port assignment in OPNsense (Interfaces: Assignments) directly to lagg0 (WAN). In this way the vlan-tagging will be done by the switch and not OPNsense. For OPNsense it will look like a normal lagg-port.

Do you think I will bypass the vlan problem on netmap/Suricata with the above config changes?

I think I'll be able to apply this change upcoming weekend.

Kind regards,

Ivan

5

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 11, 2016, 10:17:20 am »

Hi Ad,

Thanks for the quick replies.

It's unfortunately not possible for us to test the steps you mention. Because the device is in a production environment at the moment with live traffic, so it's impossible to reconfigure vlan, lagg and interface settings. Also physical access to the device is difficult (it's in a datacenter 150km away).

Is there a possibility to enable extra logging, some sort of debug, for IPS and see what it's doing?

Kind regards,

Ivan

6

General Discussion / Re: Intrusion Detection issues with IPS Enabled

« on: May 11, 2016, 09:40:05 am »

Hi Ad,

IPS is only enabled on the WAN interface. This WAN interface is a VLAN on a LAGG of 2 physical interfaces.
I attached 3 screenshots of the configuration to make it more clear.

Ivan

7

General Discussion / [SOLVED] Intrusion Detection issues with IPS Enabled

« on: May 11, 2016, 09:19:20 am »

Hi all,

Since a few days we've a Deciso OPNsense firewall (Dual A10 QC SSD rack) in use in front of our webservers. Before this OPNsense firewall we had 2 PFsense firewall's.
The OPNsense firewalls are configured in HA (CARP).

We want to use the Intrusion Detection service of OPNsense. So to do this I enabled IDS and IPS.
Then I checked the 'Rules'-tab and saw some active rules without activating any ruleset (no problem in my opinion). Before enabling any ruleset we did some tests. We came to the conclusion that most of the websites are working fine, except our PRTG page (monitoring: https://www.paessler.com/prtg) and also creating a new email with Roundcube webmail was not working. Those pages keep saying 'Connecting' in Google Chrome and the circle inside the tab keeps rotating.
On the 'Alert'-tab was no information at all. To be sure that no rule can be the problem, I disabled all the rules and did a retry, unfortunately the same result.
I can solve the issues of the pages not loading by disabling IPS and only let IDS enabled. Then I can also enable all rules and the page load normally. Off course we want to use IPS to auto block some bad traffic

Is there a solution to enable IPS and let the webpages function properly?

P.s. all the hardware acceleration settings are disabled:
 - hardware checksum offload
 - hardware TCP segmentation offload
 - hardware large receive offload
 - VLAN Hardware Filtering

Versions:
OPNsense 16.1.13-amd64   
FreeBSD 10.2-RELEASE-p14   
OpenSSL 1.0.2h 3 May 2016