Anyone had issues where, even though we have an ACL in place (and set NOT to inspect), the traffic still gets caught by the IPS?
We have an issue where, if we can a box with the IPS online (4010 sensors with fail-open kits), the foundstone scan takes for EVER (as in an hour) and sees 10-15 vulns. Take the sensor offline, same scan of a box takes 12 minutes, and finds 150+ vulns.
I even get screwy results using a NULL signature (although not as bad). Seems to work ok if I put sensor into layer2 mode.
Quarantine is OFF.
ACL says to allow the IP of the Foundstone to the entire 10.0.0.0/8, without IPS, and to log the ACL hits
The ACL counters go up in the sensor stats.
I've tinkered with the whole "apply ACL inbound or outbound" to see if it was applied the wrong way. It's weird. I know where port "A" and "B" are, but even though the traffic is going into port A and out port B, it get better results with ACL applied to port OUTBOUND.
This worked fine until last September. Since then, we've had a 4010 replaced (sensor was rebooting), and I've dealt with a few techs @ mcafee, and this is now @ 3rd level. But I figured maybe some in the community could give me some pointers.
Intrushield is @ 188.8.131.52
Foundstone is @6.8.1
Sensors are @...um..darn, forget, but 1 down from latest 5.1.x release (.48 I think).
This is driving me nuts, as I can`t find any logic behind it. It`s like the settings on the screen are different than the settings in the hardware.
There was an issue where the ACL Rule action is set to Permit for TCP-based protocols, network delay/packet drops may be seen on connections matching the ACL Permit rule.
Can you upgrade the Sensor sw to latest maintenance release and check if the issue still prevails.
Attaching the Release Notes for reference.