11-03-2023 03:03 AM
I have a requirement to bypass traffic inspection or whitelist ip addresses to allow pen testing to take place on our external IP address range. Previously achieved this using service policy on ASA's. With FTD's is the best option to use pre-filters or something else?
11-03-2023 06:02 AM - edited 11-03-2023 09:11 AM
Prefilter policy rule for the eternal source IP with action = fastpath will exempt it from rules in the ACP.
However, I submit that's not a good pen test since you are allowing pen testing with one of your primary defenses turned off.
(edited to correct action = fastpath)
11-03-2023 06:52 AM
Hi Marvin, If I was to use a prefilter rule would fastpath not be better as I need to bypass IPS/Snort? Also would adding the external IP's to the SI whitelist achieve the same result of bypassing IPS/Snort?
I agree with you regards allowing testing with IPS is an odd approach.
11-03-2023 09:11 AM - edited 11-03-2023 09:12 AM
Sorry, you are right - I should have said fastpath. I edited my earlier reply to make that correction.
SI whitelist just means to exclude the scanner from any SI rule that it may have otherwise hit. Snort continues to evaluate it against and subsequent rules, Intrusion policy, etc.
11-04-2023 05:22 AM
Thanks Marvin, I would still need the traffic to be subject to the regular permit/deny ACL's and only require the IP's from the company that is scanning the network to be excluded from the IPS policy. So I'm thinking that using prefilter/fastpath wouldn't now be the answer. You think using variable set and excluding the IP's is better solution like Massimo mentions?
11-04-2023 05:40 AM
you can config ACP with trust this make traffic
pass fastpath to ACP ACL L3/L4 and trust without more inspect by IPS/Snort.
if it not trust then it will go farther to inspect by IPS/Snort.
Thanks A Lot
MHM
11-03-2023 11:13 PM
Exclude those IPs on the variable set applied to the relevent rules, it works like a charm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide