Well, this has been a bit of a disappointment.
I'll guess I'll commit the Untangle mortal sin and try a reboot. If IPS is still borked, I'll make use of paid support.
Well, this has been a bit of a disappointment.
I'll guess I'll commit the Untangle mortal sin and try a reboot. If IPS is still borked, I'll make use of paid support.
I've been working with IPS on my home machine so I can be as clear and accurate as possible when I start a ticket against the business machine.
One of the puzzling aspects of trying to decide when IPS is working and when it isn't is a discrepancy in the logged events reporting.
Over time the app metrics are no where near the same as the total reported events.
Attachment 9884
Attachment 9885
And if the metrics don't literally mean logged events but all events, the numbers still don't align.
Attachment 9886
So from when I last posted until now, the metrics make it seem as if IPS has been active.
Attachment 9888
Very nearly double the reported sessions logged. Yet the Intrusion Prevention / All Events report for today is blank.
Attachment 9889
Now to confirm that the business server is still exhibiting similar behavior and if so, start a support ticket.
Please post back what you hear. Unfortunately, testing/validating the status of IPS isn't the easiest thing.
On a potentially related note, yesterday my U25 stopped passing traffic and wouldn't respond even to pings. I checked it out and the appliance was off. My household was all watching 4K Netflix streaming when it happened (not that I have any evidence that this caused it). I'm going to post separately.
Absolutely, will do.
So an update: something is definitely weird with the IPS module. I have made zero configuration changes recently to UTGW but it has suddenly gone from scanning after network rules to scanning before.
It happened on 03/05/2020. At 10:32AM E, it detected and blocked a known bad IP and the log lists the INTERNAL/NAT-forwarded IP and the single destination port I have open inbound. This is normal, and there are usually a handful per day. At 11:32A E, it detected and blocked a known bad IP and the log lists one of several static EXTERNAL IPs and a port other than one open. And from there, piles and piles of that type, which is not surprising given the huge range of possibilities. I verified IPS is still set to after other network processing.
A quick update from me, then. I have a ticket on a server and support has been super but the server has, so far, refused to act up (I did a clean install of the app so I had a memory usage baseline). Support is leaving the ticket in a hold status and I'm checking the server daily. Until it acts up in an unambiguous way, we wait.
A bit more update: disabling and enabling the IPS app did not fix the behavior. Rebooting the appliance did.
A little relevant entertainment... for the waiting.
![]()
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com