SG-4860 Suricata Inline IPS
-
I was curious if anyone can confirm if the 4860 can do Suricata In-line IPS. I just enabled to Inline and no alerts seem to be populating.
Additionally, the reason I enabled is that I was seeing traffic leakage from a dual OpenVPN tunnel, where I had Suricata legacy enabled led on each tunnel; however on daily occasions would see Blocks/alerts being caught by the WAN-Suricata (also Legacy). I am at a loss of why this was occurring, as the OpenVPN IPS’ were supposed to allow the traffic though the tunnels anyway; but that traffic was not to go out the unencrypted default WAN, Rules were in place to block anything from the Source Interface going to the WAN (firewall policy route to an Interface Gateway Group of the OpenVPN interfaces).
Packet captures run through SSH of the 4860 WAN interface showed the same traffic leakage shown in the Suricata ‘Block’ logs.
Are there any thoughts on these 2 items?
Thank you
-
@petrt3522 Any Netgate hardware would, I believe because they would use a NIC that supports!