topic Re: Exclude/whitelist a source server IP address in Endpoint Security

Exclude/whitelist a source server IP address

verasme — Fri, 21 Feb 2020 05:06:43 GMT

Is there a way to either whitelist or create an exclusion in Cisco AMP so that anything coming from that IP address or server is ignored by the Cisco AMP agent? We have a KACE appliance that downloads Windows updates to the clients and I would like to make an exception so that anything coming from our KACE appliance is accepted by Cisco AMP. We find that Cisco AMP takes a significant percentage of the client-side CPU when KACE agent is downloading Windows updates.

Re: Exclude/whitelist a source server IP address

Mohammed al Baqari — Tue, 23 Oct 2018 05:46:00 GMT

Yes you can exclude it from AMP policy in the cloud and the users agent
will download that.

See this

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html

Re: Exclude/whitelist a source server IP address

verasme — Tue, 23 Oct 2018 13:39:37 GMT

I don't see anything in that article that talks about excluding IP addresses. Can you point me in the right direction?

Re: Exclude/whitelist a source server IP address

brmcmaho — Wed, 24 Oct 2018 19:56:21 GMT

There is no way to tell AMP to ignore everything by specifying an IP address or domain. The IP Whitelist feature (under Outbreak Control in the AMP console) is just for overriding a block based on the Cisco intelligence feed.

Based on your description, what you need here is a way to reduce or eliminate the performance impact when the KACE agent on an endpoint performs updates, correct?

If so, the generally recommended way to do that is with an exclusion (found under Management in the console) instead of a whitelist. That's what the original link talked about, and you can set an exclusion based either on a location in the file system, or the process that is performing the operations.

If you need assistance with the exclusion process, or with other performance issues, my advice is to open a support case, and be sure that it gets routed to the AMP TAC specialists.

Re: Exclude/whitelist a source server IP address

verasme — Wed, 24 Oct 2018 20:01:09 GMT

You're absolutely right. We are having performance issues when KACE is deploying updates. So I have granted exclusions for the KACE processes (konea.exe, runkbot.exe, kdeploy.exe, and kpatch.exe) and also the folder location where KACE agent downloads those update packages. I have to see in the next few weeks if this makes a difference in deploying updates. Thanks so much for the information.