Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5605
Views
0
Helpful
2
Replies

Firepower Excluding a host from Rule action

John Telford
Level 1
Level 1

‎01-29-2016 02:30 PM - edited ‎03-10-2019 06:33 AM

Greetings,

I come from a Tippingpoint background and am now working with Firesight/Firepower.

We have hosts that trigger an HTTP rule that is set to Drop.

The traffic is valid and we do not want to drop it for this rule but we need all other http traffic from these hosts inspected.

Is manually creating new copy of the Rule with the 'Pass' option for the affected hosts the only way to achieve this?

This seems cumbersome and at risk of human error causing something bad to occur. Plus we'll have to monitor for changes to the original Rule to keep the new one up to date.

If I understand the options:

Using Suppress wont work as it only suppresses the events - the action is still Dropped

Using a Trust (in this case) wont work because the source generates the event against many destinations and maintaining the list not achievable.

Disabling the rule will remove detection of actual infected systems.

Which leaves the above Pass rule method.

We expect to see a number of these false positive requirements in the environment so having the best practice to handle them at the start will be most helpful.

Regards,

John

Labels:
0 Helpful
2 Replies 2

Brian D'Souza
Cisco Employee
Cisco Employee

‎02-09-2016 01:46 PM

Hello John,

What version of Firesight/Firepower appliances and software are you running in your environment?

To answer your question, my recommendation would be to create a 'Network' object based on the your hosts' IP addresses, and collectively apply an 'Allow' action using an Access Control rule for HTTP protocol. This would pass the valid traffic from these hosts and inspect all other http traffic too. 

I would recommend taking a look at this link, http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Rules-Tuning-Overview.html. This should help to understand the different actions and implications of an Access Control rule in FireSight Management Center for a FirePOWER device and assist you in effective rule creation.

Let me know if this helps. Thanks.

Regards,

Brian D'Souza.

0 Helpful

John Telford
Level 1
Level 1
In response to Brian D'Souza

‎02-09-2016 03:59 PM

Brian,

Version is 5.4.1.4

If I understand your recommendation I'd still need a custom rule with Pass  for the network group correct?

The 'allow' is still going to send all http traffic to the intrusion policy.

I'll take a look through the linked document.

Thanks,

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card