01-12-2022 02:53 AM
Hi,
We need to exclude the source IP address of our external vulnerability scanner, so it will not be blocked by the IPS.
The point is to simulate external attacks without IPS protection.
Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports.
Previously on ASA with Firepower module, it was done with simply adding deny statement in the sfr access-list.
Now it seems there is no option to do it?
Regards,
Borut
01-12-2022 02:59 AM
If you using FMC check below thread :
https://community.cisco.com/t5/network-security/exclude-device-from-ips-policy/td-p/3814519
01-12-2022 05:46 AM
Thanks Balaji,
According these solution we should add it to Whitelist. But according the Cisco documentation it will not exclude it from IPS inspection:
Traffic added to a Do Not Block list or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.
Reference URL: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/security_intelligence_blacklisting.html#ID-2192-00000005
02-01-2022 03:17 PM - edited 02-01-2022 03:17 PM
Hi Borut,
did you find a solution for your problem? If so, please share it with me since I'm stuck facing the same problem.
On ASA we simply added the Security-Scanner's IP Address to an "Do not match" extended access list attached to the "default" service-policy. Regular L1-4 ACL's from ASA have applied while the traffic has been explicitly excluded from Snort inspection.
Unfortunately on the FTD I haven't found an elegant solution like on the traditional ASA w/ FirePOWER Services stack. This feature seems to be missing entirely (unfortunately yet another thing to add on why FTD is worse than ASA).
"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned.
Kind regards
02-01-2022 09:29 PM
You can try excluding that ip address on the variable set applied to the access rules you want to exempt
02-08-2022 11:48 AM
Interesting idea, however this is not what me and OP are trying to accomplish. We're looking for a solution to completely exclude traffic being sent to Snort. Your approach will "just" prevent any alerts being triggered because the traffic will not match any SID pattern - the traffic still needs to traverse through Snort though.
02-08-2022 12:46 PM
I'm not mastering snort to such a degree for being able to tell excluding an ip address at variable set level will almost entirely bypass snort for that ip address or simply prevent snort to enforce the rules, in my mind processing a rule when you know you'll never enforce it it's a useless waste of cpu cycles, but real behavior may differ.
The only thing I can tell is that it works and it's the only way I found to accomplish such a goal without disabling other security features.
02-02-2022 12:29 AM
Unfortunately not
02-02-2022 02:29 AM
How about if you apply a prefilter rule to exclude the scanner IP?
02-02-2022 03:56 AM
Both OP and me stated:
"Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports."
"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned."
02-02-2022 04:20 AM
I see, thanks for the clarification. Another question, can't we just add that scanner IP to the whitelist in the security intelligence section on the ACP?
02-07-2022 05:23 PM
@borutlapealready mentioned this is no option since adding it to the whitelist will _NOT_ prevent it from further analysis by Snort:
11-03-2023 03:51 AM
Just found your post after posting similar post. https://community.cisco.com/t5/network-security/cisco-ftd-how-to-bypass-traffic-inspection/m-p/4953134#M1105559
Did you find a solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide