We had consultants install our new ips. They recommended plugging into a switch connecting our firewall to our internet router. We have a bunch of VPN tunnels terminating at our ASA firewall from our remote offices. When I check the logs on the IPS, there are tons of alerts for "tcp segment overwrite" and alot of them come from the vpn sites. My question is, what can I do to alleviate some of these messages? I can't believe that we are being attacked this much.
To clarify our installation, we have 2 switches, one in each of our two buildings, and they are connected via fibre. We have a ASA in each building and they are setup for redundancy. Our IPS has only one interface plugged into the same vlan the hosts the firewall and the internet router.
If this is in an inline scenario the offending packets are dropped by default. To investigate it further I check to see what other alerts are triggering for the offending hosts. This will give you more information to ascertain what these hosts are really doing.
I checked through and handful of the logs and I have ip's from my internal network and from remote vpn connections. Is there a way to search thru the log to find multiple occurrences of the same host???
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...