1
General Discussion / [SOLVED] Intrusion Detection issues with IPS Enabled
« on: May 11, 2016, 09:19:20 am »
Hi all,
Since a few days we've a Deciso OPNsense firewall (Dual A10 QC SSD rack) in use in front of our webservers. Before this OPNsense firewall we had 2 PFsense firewall's.
The OPNsense firewalls are configured in HA (CARP).
We want to use the Intrusion Detection service of OPNsense. So to do this I enabled IDS and IPS.
Then I checked the 'Rules'-tab and saw some active rules without activating any ruleset (no problem in my opinion). Before enabling any ruleset we did some tests. We came to the conclusion that most of the websites are working fine, except our PRTG page (monitoring: https://www.paessler.com/prtg) and also creating a new email with Roundcube webmail was not working. Those pages keep saying 'Connecting' in Google Chrome and the circle inside the tab keeps rotating.
On the 'Alert'-tab was no information at all. To be sure that no rule can be the problem, I disabled all the rules and did a retry, unfortunately the same result.
I can solve the issues of the pages not loading by disabling IPS and only let IDS enabled. Then I can also enable all rules and the page load normally. Off course we want to use IPS to auto block some bad traffic
Is there a solution to enable IPS and let the webpages function properly?
P.s. all the hardware acceleration settings are disabled:
- hardware checksum offload
- hardware TCP segmentation offload
- hardware large receive offload
- VLAN Hardware Filtering
Versions:
OPNsense 16.1.13-amd64
FreeBSD 10.2-RELEASE-p14
OpenSSL 1.0.2h 3 May 2016
Since a few days we've a Deciso OPNsense firewall (Dual A10 QC SSD rack) in use in front of our webservers. Before this OPNsense firewall we had 2 PFsense firewall's.
The OPNsense firewalls are configured in HA (CARP).
We want to use the Intrusion Detection service of OPNsense. So to do this I enabled IDS and IPS.
Then I checked the 'Rules'-tab and saw some active rules without activating any ruleset (no problem in my opinion). Before enabling any ruleset we did some tests. We came to the conclusion that most of the websites are working fine, except our PRTG page (monitoring: https://www.paessler.com/prtg) and also creating a new email with Roundcube webmail was not working. Those pages keep saying 'Connecting' in Google Chrome and the circle inside the tab keeps rotating.
On the 'Alert'-tab was no information at all. To be sure that no rule can be the problem, I disabled all the rules and did a retry, unfortunately the same result.
I can solve the issues of the pages not loading by disabling IPS and only let IDS enabled. Then I can also enable all rules and the page load normally. Off course we want to use IPS to auto block some bad traffic
Is there a solution to enable IPS and let the webpages function properly?
P.s. all the hardware acceleration settings are disabled:
- hardware checksum offload
- hardware TCP segmentation offload
- hardware large receive offload
- VLAN Hardware Filtering
Versions:
OPNsense 16.1.13-amd64
FreeBSD 10.2-RELEASE-p14
OpenSSL 1.0.2h 3 May 2016