Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
3
Replies

Cisco FTD - Bypassing a Specific source IP from a specific Signature

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎03-19-2025 01:27 AM

Hello,

We have Cisco FTD managed by FMC (both running version 7.4.2.1). We noticed that some of the emails from a specific to our email gateway that behind our FTD is getting blocked by the particular signature in our FTD. Now we need to bypass the traffic originating from the particular public IP from hitting this signature. I know that the simple option is to Clone the current intrusion policy, disable the signature and then write a new access control rule with the specific public IP as source our email gw as destination and then apply the new intrusion policy to this rule. But we don't want to go with that option since we will be sending 30000 duplicate signatures to FTD for just one bypass. We just need to know if there is a option to override the signature based on source IP. 

Thanks and Regards

Shabeeb

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎03-19-2025 02:12 AM

You can create another top rule to not to inspect, is this works for you ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to balaji.bandi

‎03-19-2025 03:21 AM

You mean to say that we will clone the current intrusion policy and disable the problematic signature, then create a new access control policy and call this intrusion policy right?. The issue is that the customer is worried about the number of signatures that will be pushed. He is asking if I clone the intrusion policy then I will have another 10000 signatures pushed to the FTD which may affect performance.

Is there any option to exclude a particular source IP from a signature ?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHABEEB KUNHIPOCKER

‎03-20-2025 08:43 AM

There's no problem with having multiple intrusion policies on a given device. Of more concern to me would be why is this one device triggering an Intrusion event. If it's believed to be false positive, then a TAC case would be a better approach.

You can exclude a given address from the current intrusion policy globally via the access control policy. You cannot exclude an address from one signature (without creating a new policy).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card