Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4111
Views
0
Helpful
12
Replies

exclude source IP address from IPS inspection on FTD

borutlape
Level 1
Level 1

‎01-12-2022 02:53 AM

Hi,

 

We need to exclude the source IP address of our external vulnerability scanner, so it will not be blocked by the IPS.

The point is to simulate external attacks without IPS protection.

Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports.

 

Previously on ASA with Firepower module, it was done with simply adding deny statement in the sfr access-list.

 

Now it seems there is no option to do it?

 

Regards,

Borut

0 Helpful
12 Replies 12

balaji.bandi
Hall of Fame
Hall of Fame

‎01-12-2022 02:59 AM

If you using FMC check below thread :

https://community.cisco.com/t5/network-security/exclude-device-from-ips-policy/td-p/3814519

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

borutlape
Level 1
Level 1
In response to balaji.bandi

‎01-12-2022 05:46 AM

Thanks Balaji,

 

According these solution we should add it to Whitelist. But according the Cisco documentation it will not exclude it from IPS inspection:

Traffic added to a Do Not Block list or monitored at the Security Intelligence stage is intentionally subject to further analysis with the rest of access control.
Reference URL: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/security_intelligence_blacklisting.html#ID-2192-00000005

 

0 Helpful

1_am_r00t
Level 1
Level 1

‎02-01-2022 03:17 PM - edited ‎02-01-2022 03:17 PM

Hi Borut,

 

did you find a solution for your problem? If so, please share it with me since I'm stuck facing the same problem.

 

On ASA we simply added the Security-Scanner's IP Address to an "Do not match" extended access list attached to the "default" service-policy. Regular L1-4 ACL's from ASA have applied while the traffic has been explicitly excluded from Snort inspection.

 

Unfortunately on the FTD I haven't found an elegant solution like on the traditional ASA w/ FirePOWER Services stack. This feature seems to be missing entirely (unfortunately yet another thing to add on why FTD is worse than ASA).

 

"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned.

 

Kind regards

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to 1_am_r00t

‎02-01-2022 09:29 PM

You can try excluding that ip address on the variable set applied to the access rules you want to exempt

0 Helpful

1_am_r00t
Level 1
Level 1
In response to Massimo Baschieri

‎02-08-2022 11:48 AM

Interesting idea, however this is not what me and OP are trying to accomplish. We're looking for a solution to completely exclude traffic being sent to Snort. Your approach will "just" prevent any alerts being triggered because the traffic will not match any SID pattern - the traffic still needs to traverse through Snort though.

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to 1_am_r00t

‎02-08-2022 12:46 PM

I'm not mastering snort to such a degree for being able to tell excluding an ip address at variable set level will almost entirely bypass snort for that ip address or simply prevent snort to enforce the rules, in my mind processing a rule when you know you'll never enforce it it's a useless waste of cpu cycles, but real behavior may differ.

The only thing I can tell is that it works and it's the only way I found to accomplish such a goal without disabling other security features.

0 Helpful

borutlape
Level 1
Level 1
In response to 1_am_r00t

‎02-02-2022 12:29 AM

Unfortunately not

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-02-2022 02:29 AM

How about if you apply a prefilter rule to exclude the scanner IP?

0 Helpful

1_am_r00t
Level 1
Level 1
In response to Aref Alsouqi

‎02-02-2022 03:56 AM

Both OP and me stated:

"Adding an access rule on the top with no IPS inspection is not an option, because then the access will not be evaluated against the existing access rules, and there are a lot. We need to scan only existing open ports."

"Shadowing" the regular ACP's in the PreFilter is not an option like OP mentioned."

0 Helpful

Aref Alsouqi
VIP
VIP
In response to 1_am_r00t

‎02-02-2022 04:20 AM

I see, thanks for the clarification. Another question, can't we just add that scanner IP to the whitelist in the security intelligence section on the ACP?

0 Helpful

1_am_r00t
Level 1
Level 1
In response to Aref Alsouqi

‎02-07-2022 05:23 PM

@borutlapealready mentioned this is no option since adding it to the whitelist will _NOT_ prevent it from further analysis by Snort:

https://community.cisco.com/t5/network-security/exclude-source-ip-address-from-ips-inspection-on-ftd/m-p/4530202/highlight/true#M1086362

0 Helpful

goudier2001
Level 1
Level 1

‎11-03-2023 03:51 AM

Just found your post after posting similar post. https://community.cisco.com/t5/network-security/cisco-ftd-how-to-bypass-traffic-inspection/m-p/4953134#M1105559

 

Did you find a solution?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card