topic Re: exclude source IP address from IPS inspection on FTD in Network Security

exclude source IP address from IPS inspection on FTD

borutlape — Wed, 12 Jan 2022 10:53:48 GMT

Hi,

We need to exclude the source IP address of our external vulnerability scanner, so it will not be blocked by the IPS.

The point is to simulate external attacks without IPS protection.

Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports.

Previously on ASA with Firepower module, it was done with simply adding deny statement in the sfr access-list.

Now it seems there is no option to do it?

Regards,

Borut

Re: exclude source IP address from IPS inspection on FTD

balaji.bandi — Wed, 12 Jan 2022 10:59:37 GMT

If you using FMC check below thread :

https://community.cisco.com/t5/network-security/exclude-device-from-ips-policy/td-p/3814519

Re: exclude source IP address from IPS inspection on FTD

borutlape — Wed, 12 Jan 2022 13:46:03 GMT

Thanks Balaji,

According these solution we should add it to Whitelist. But according the Cisco documentation it will not exclude it from IPS inspection:

Traffic added to a Do Not Block list or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.
Reference URL: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/security_intelligence_blacklisting.html#ID-2192-00000005

Re: exclude source IP address from IPS inspection on FTD

1_am_r00t — Tue, 01 Feb 2022 23:17:58 GMT

Hi Borut,

did you find a solution for your problem? If so, please share it with me since I'm stuck facing the same problem.

On ASA we simply added the Security-Scanner's IP Address to an "Do not match" extended access list attached to the "default" service-policy. Regular L1-4 ACL's from ASA have applied while the traffic has been explicitly excluded from Snort inspection.

Unfortunately on the FTD I haven't found an elegant solution like on the traditional ASA w/ FirePOWER Services stack. This feature seems to be missing entirely (unfortunately yet another thing to add on why FTD is worse than ASA).

"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned.

Kind regards

Re: exclude source IP address from IPS inspection on FTD

Massimo Baschieri — Wed, 02 Feb 2022 05:29:36 GMT

You can try excluding that ip address on the variable set applied to the access rules you want to exempt

Re: exclude source IP address from IPS inspection on FTD

borutlape — Wed, 02 Feb 2022 08:29:41 GMT

Unfortunately not 😞

Re: exclude source IP address from IPS inspection on FTD

Aref Alsouqi — Wed, 02 Feb 2022 10:29:36 GMT

How about if you apply a prefilter rule to exclude the scanner IP?

Re: exclude source IP address from IPS inspection on FTD

1_am_r00t — Wed, 02 Feb 2022 11:56:36 GMT

Both OP and me stated:

"Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports."

"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned."

Re: exclude source IP address from IPS inspection on FTD

Aref Alsouqi — Wed, 02 Feb 2022 12:20:04 GMT

I see, thanks for the clarification. Another question, can't we just add that scanner IP to the whitelist in the security intelligence section on the ACP?

Re: exclude source IP address from IPS inspection on FTD

1_am_r00t — Tue, 08 Feb 2022 01:23:49 GMT

@borutlapealready mentioned this is no option since adding it to the whitelist will _NOT_ prevent it from further analysis by Snort:

https://community.cisco.com/t5/network-security/exclude-source-ip-address-from-ips-inspection-on-ftd/m-p/4530202/highlight/true#M1086362

Re: exclude source IP address from IPS inspection on FTD

1_am_r00t — Tue, 08 Feb 2022 19:48:15 GMT

Interesting idea, however this is not what me and OP are trying to accomplish. We're looking for a solution to completely exclude traffic being sent to Snort. Your approach will "just" prevent any alerts being triggered because the traffic will not match any SID pattern - the traffic still needs to traverse through Snort though.

Re: exclude source IP address from IPS inspection on FTD

Massimo Baschieri — Tue, 08 Feb 2022 20:46:30 GMT

I'm not mastering snort to such a degree for being able to tell excluding an ip address at variable set level will almost entirely bypass snort for that ip address or simply prevent snort to enforce the rules, in my mind processing a rule when you know you'll never enforce it it's a useless waste of cpu cycles, but real behavior may differ.

The only thing I can tell is that it works and it's the only way I found to accomplish such a goal without disabling other security features.

Re: exclude source IP address from IPS inspection on FTD

goudier2001 — Fri, 03 Nov 2023 10:51:07 GMT

Just found your post after posting similar post. https://community.cisco.com/t5/network-security/cisco-ftd-how-to-bypass-traffic-inspection/m-p/4953134#M1105559

Did you find a solution?