Known Issue: Intrusion Prevention Service (IPS) false positive – Signature ID: 1134424

WatchGuard hat bekannt gegeben, dass der Intrusion Prevention Service (IPS) derzeit einen “Known Issue” aufweist, also ein bekanntes Problem. Dies betrifft die Signature ID 1134424: Die WatchGuard-Firewall erkennt hier fälschlicherweise eine Sicherheitslücke, die gar nicht vorhanden ist (false positive).

Dieses Problem kann speziell nach dem letzten Update am 20.02. auf die IPS-Version 4.912 bei allen Firebox & XTM Appliances mit der Fireware 12.x auftreten.

WatchGuard arbeitet aktuell daran, das Problem zu beheben und empfiehlt in der Zwischenzeit als Workaround eine IPS-Ausnahme für die Signatur 1134424 zu erstellen:

  1. Navigieren Sie im Policy Manager oder in der Web UI zu Subscription Services -> Intrusion Prevention
  2. Klicken Sie auf Exceptions
  3. im Signature ID Feld die entsprechende ID (1134424) eintragen
  4. als Action “Allow” auswählen und ggf. Log aktivieren
  5. anschließend mit einem Klick auf “add” bestätigen

 

Originalmeldung von WatchGuard:

WatchGuard has identified a false positive with the Intrusion Prevention Service. Specifically, signature 1134424 in the 4.912 IPS update released on Wednesday, 20 February 2019. We are currently working with our vendor to correct the false positive. The signature itself has been observed to match unintended HTTP and HTTPS connections that pass through the Firebox IPS scanning service (Security Portal Signature details).

To work around this issue, create an IPS exception for signature 1134424. You can find instructions on how to create an IPS signature in both Web UI and Policy Manager in WatchGuard Help Center. If an Intrusion Prevention action was configured to Block IP addresses that matched IPS signatures, several IP addresses may have been added to the blocked sites list. These entries are not automatically cleared after you add the exception. We recommend you review your current blocked sites list and manually remove any entries that were blocked because of “IPS autoblock”. You can find more information about how to manage blocked sites in the WatchGuard Help Center. We apologize for any inconvenience. To follow up with questions or to request notification for when this issue has been addressed, please contact Technical Support.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>