https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4460034#M1083357 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a>&nbsp;Thanks for the document.&nbsp;</P> Sun, 05 Sep 2021 14:13:00 GMT Chess_N 2021-09-05T14:13:00Z https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459586#M1083322 <P>Hi,</P><P>I want to whitelist a scanner host on our network that is triggering lots of intrusion events.</P><P>I tried to right-click the IP address and the select "Whitelist IP now",&nbsp; and it puts the IP in the Global-Whitelist, but intrusion events are still getting triggered.</P><P>Do I need to do a deploy after adding it to the Whitelist? Also, since the Whitelist seems to be for security Intelligence events and this is an intrusion events, should I use a trust rule in the ACP instead?</P><P>Thanks</P><P>/Chess</P> Fri, 03 Sep 2021 19:47:58 GMT https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459586#M1083322 Chess_N 2021-09-03T19:47:58Z https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459783#M1083330 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1211001">@Chess_N</a>,</P><P>Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.</P><P>Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.</P><P>BR,</P><P>Milos</P> Sat, 04 Sep 2021 06:02:56 GMT https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459783#M1083330 Milos_Jovanovic 2021-09-04T06:02:56Z https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459816#M1083332 <P>Thanks you <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a> The host is running a security product called Rapid7 and it's scanning hosts between different security zones. This is a FTD device so I'll have a look at using a Prefilter policy,</P><P>&nbsp;</P><P>Best regards</P><P>/Jorgen</P> Sat, 04 Sep 2021 09:31:13 GMT https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459816#M1083332 Chess_N 2021-09-04T09:31:13Z https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459910#M1083342 <P>Yes, you should deploy it in Prefilter policy then.</P><P>However, consider placing scanner in the inside zone. I managed to find <A href="https://docs.rapid7.com/nexpose/planning-your-scan-engine-deployment/" target="_self">this document</A> for Rapid7 deployment, in which it states what I already mentioned - you should place scanner so that it doesn't pass firewall. This would potentially save you a headeache.</P><P>BR,</P><P>Milos</P> Sat, 04 Sep 2021 20:11:46 GMT https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4459910#M1083342 Milos_Jovanovic 2021-09-04T20:11:46Z https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4460034#M1083357 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/330320">@Milos_Jovanovic</a>&nbsp;Thanks for the document.&nbsp;</P> Sun, 05 Sep 2021 14:13:00 GMT https://community.cisco.com/t5/network-security/ip-whitelisting/m-p/4460034#M1083357 Chess_N 2021-09-05T14:13:00Z