Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4700
Views
0
Helpful
4
Replies

Exclude/whitelist a source server IP address

Go to solution
verasme
Level 1
Level 1

‎10-22-2018 02:41 PM - edited ‎02-20-2020 09:06 PM

Is there a way to either whitelist or create an exclusion in Cisco AMP so that anything coming from that IP address or server is ignored by the Cisco AMP agent? We have a KACE appliance that downloads Windows updates to the clients and I would like to make an exception so that anything coming from our KACE appliance is accepted by Cisco AMP. We find that Cisco AMP takes a significant percentage of the client-side CPU when KACE agent is downloading Windows updates.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
brmcmaho
Cisco Employee
Cisco Employee

‎10-24-2018 12:56 PM

There is no way to tell AMP to ignore everything by specifying an IP address or domain.  The IP Whitelist feature (under Outbreak Control in the AMP console) is just for overriding a block based on the Cisco intelligence feed.

 

 

Based on your description, what you need here is a way to reduce or eliminate the performance impact when the KACE agent on an endpoint performs updates, correct?

 

If so, the generally recommended way to do that is with an exclusion (found under Management in the console) instead of a whitelist.  That's what the original link talked about, and you can set an exclusion based either on a location in the file system, or the process that is performing the operations.  

 

If you need assistance with the exclusion process, or with other performance issues, my advice is to open a support case, and be sure that it gets routed to the AMP TAC specialists.  

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎10-22-2018 10:46 PM

Yes you can exclude it from AMP policy in the cloud and the users agent
will download that.

See this

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-fireamp-endpoints/118341-configure-fireamp-00.html
0 Helpful

Go to solution
verasme
Level 1
Level 1
In response to Mohammed al Baqari

‎10-23-2018 06:39 AM

I don't see anything in that article that talks about excluding IP addresses. Can you point me in the right direction?

0 Helpful

Go to solution
brmcmaho
Cisco Employee
Cisco Employee

‎10-24-2018 12:56 PM

There is no way to tell AMP to ignore everything by specifying an IP address or domain.  The IP Whitelist feature (under Outbreak Control in the AMP console) is just for overriding a block based on the Cisco intelligence feed.

 

 

Based on your description, what you need here is a way to reduce or eliminate the performance impact when the KACE agent on an endpoint performs updates, correct?

 

If so, the generally recommended way to do that is with an exclusion (found under Management in the console) instead of a whitelist.  That's what the original link talked about, and you can set an exclusion based either on a location in the file system, or the process that is performing the operations.  

 

If you need assistance with the exclusion process, or with other performance issues, my advice is to open a support case, and be sure that it gets routed to the AMP TAC specialists.  

0 Helpful

Go to solution
verasme
Level 1
Level 1
In response to brmcmaho

‎10-24-2018 01:01 PM

You're absolutely right. We are having performance issues when KACE is deploying updates. So I have granted exclusions for the KACE processes (konea.exe, runkbot.exe, kdeploy.exe, and kpatch.exe) and also the folder location where KACE agent downloads those update packages. I have to see in the next few weeks if this makes a difference in deploying updates. Thanks so much for the information.
0 Helpful
Customers Also Viewed These Support Documents