No announcement yet.

IPS High Volume of Blocked Traffic

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPS High Volume of Blocked Traffic


    We have a number of clients with untangle NGFW's, a handful of them have super high IPS blocked traffic that matches their regular traffic. I've looked at some logs and am not entirely sure what to make of it. Any ideas?

    Click image for larger version

Views:	2
Size:	12.7 KB
ID:	387175

    In the logs, we just see a ton of incoming attempted traffic trying to access ports that don't exist on the WAN.
    Last edited by [email protected]; 07-26-2021, 04:59 PM.

  • #2
    This is what we see on most of our clients firewalls.
    Click image for larger version

Views:	1
Size:	13.1 KB
ID:	384222

    Looking at the graph indicators, I would assume the first graph I posted is more of what we want right?

    Are there any KB articles on how to manage and decipher the IPS in untangle?
    Attached Files


    • #3
      Here's another odd one
      Click image for larger version

Views:	1
Size:	12.9 KB
ID:	384223


      • #4
        You need to have more information about what is being blocked to better diagnose it.

        Go to Reports -> Intrusion Prevention -> Blocked Events

        The category, classtype & msg will tell you a bit about what is being blocked. You can also see a "Rule Id" column - which corresponds to the rule in Intrusion Prevention that is blocking that traffic (count down the list from the top).

        You can also reduce the # of blocks by switching Intrusion Prevention scanning to "After other network processing." so it doesn't have to scan things that would have otherwise been blocked anyways.

        But it all boils down to your rules and what you set. Maybe share a screen shot of the rules tab in Intrusion Prevention

        This video may help -