cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2994
Views
5
Helpful
5
Replies
Not applicable

Firepower how to exclude a single IP from a single rule?

How do you allow a single IP to by pass a single rule?   I see an alert that is associated with a SQL injection.  I know that the source and destination IP and port are 100% legit.  I want to exclude this single rule for the source and destination and not exclude the IPs from any other rules.  I am having a hard time finding out if this can be done.   

Everyone's tags (1)
5 REPLIES 5
Dv Cisco Employee
Cisco Employee

Hi Kenn,

Hi Kenn,

If you're talking about the intrusion event then you can add the suppression for that particular IP. Attached is the screenshot for the same.

Hope this helps.

Regards,

Dv

Highlighted

Re: Hi Kenn,

@Dv are you really a Cisco employee or is that some sort hack you did? I can't believe someone would mislead someone like you did here. That's extremely disturbing and I've reported your post.

 

To the op: A suppression would actually cause you even more trouble - your traffic would still be blocked, and you would now have no alerting for it! Not only that, it creates extra work Snort. What you need to do is either create a "Pass Rule" or modify your Access Control Policy to have a rule to pass this traffic without inspection.

Cisco Employee

Re: Firepower how to exclude a single IP from a single rule?

Hello Team,

You could also create a new access control rule for the IP, then in the Inspection portion of the rule, reference a new IPS rule with the SID turned off.

You can create as many IPS policies as you want, then reference them in different rules.

That way you can still have inspection on your SQL server for the other SID's.
Beginner

Re: Firepower how to exclude a single IP from a single rule?

This hasn't worked for me despite enabling new access rule with "Trust" action and no IPS policy applied. I've also White-listed the IP, but still seeing the Trusted IP registered in several Intrusion Event entries for SQL Injection attack and much more. 

I'll appreciate suggestions to resolve this as it's generating lots of Intrusion events False Positives.

Frequent Contributor

Re: Firepower how to exclude a single IP from a single rule?

What if you just add a deny IP_SRC IP_DST on the ACL used by SFR on the ASA policy-map?