IPS randomly stopping working without an alert?

[R. Shackleford]

Add me to the list!
License: Home
version: 15.0.0
uptime: 2d 54m
Server: custom
CPU Count: 4
CPU Type: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
Architecture: amd64
Memory: 8.26 GB
Disk: 106.02 GB

2 days ago:
I notices the graph in my Intrusion Detection (blocked) report was not showing anything since about 4pm the day before ( it usually had 30 or per hour mostly SQL scans being blocked).
2020-04-15 04:46:23 pm was last entry in the log.

Since it was early and I was the only one up and rather then fiddle with things, I did a reboot. All seemed well until this AM

Again, i see nothing being logged by IPS since 2020-04-17 03:25:18 pm

Turned IPS on and off with zero results.

At this point, I'm thinking a Reboot is my only alternative. I'm not very thrilled with the idea I will have to reboot this box every 48hrs so, hopefully Untangle can help figure this one out.

Edit to add: a month or so ago I had same thing happen but don't recall the exact date/time. At that time I did the reboot thing and all was good. But, i have been following this thread in case it came back.

[Sam Graf]

My interaction with support on this issue was very positive, and thankfully, they do not doubt our experiences. If your problem is repeatable, then by all means open a ticket. They're after being able to narrow down the timeframe when the failure occurs as close as possible.

In my case, I'm having to periodically reboot the u25xw because the Wi-Fi interface is dropping out. That has diminished my chances of providing support with anything useful.

[sky-knight]

No support ticket, no bug report, no resolution.

That's how this stuff goes. Forum reports are handy for the curiosity factor but useless in solving the actual problem.

[ntguru]

For enabled IPS rules I have: a rule for known bad IPs (action set to enable block) in addition to the default low/medium/high memory rules (action set to recommended). Probably two months ago, maybe more, I moved the bad IPs block rule up ahead of the default ones.
Since then, IPS logging and reporting has had no issues. I imagine a simple source IP comparison is computationally very simple compared to some of the signatures in the memory rules. I also have IPS set to scan after other network rules, and the only traffic coming in is a single port. So effectively PAT should be acting as a big filter before the simple IP-based IPS rule which itself acts as a filter before the more complex default memory IPS rules.

[Sam Graf]

Since then, IPS logging and reporting has had no issues.

I'm glad that's the case, but if the IP app is that delicate, well...

[ntguru]

I agree. It suggests that the reporting/logging at least -- and perhaps more -- could easily be defeated by even a modest flood of suspicious traffic.

I'm glad that's the case, but if the IP app is that delicate, well...