cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8134
Views
5
Helpful
5
Replies

Firepower how to exclude a single IP from a single rule?

Not applicable

How do you allow a single IP to by pass a single rule?   I see an alert that is associated with a SQL injection.  I know that the source and destination IP and port are 100% legit.  I want to exclude this single rule for the source and destination and not exclude the IPs from any other rules.  I am having a hard time finding out if this can be done.   

5 Replies 5

Dinesh Verma
Cisco Employee
Cisco Employee

Hi Kenn,

If you're talking about the intrusion event then you can add the suppression for that particular IP. Attached is the screenshot for the same.

Hope this helps.

Regards,

Dv

@Dinesh Verma are you really a Cisco employee or is that some sort hack you did? I can't believe someone would mislead someone like you did here. That's extremely disturbing and I've reported your post.

 

To the op: A suppression would actually cause you even more trouble - your traffic would still be blocked, and you would now have no alerting for it! Not only that, it creates extra work Snort. What you need to do is either create a "Pass Rule" or modify your Access Control Policy to have a rule to pass this traffic without inspection.

argrullo
Cisco Employee
Cisco Employee
Hello Team,

You could also create a new access control rule for the IP, then in the Inspection portion of the rule, reference a new IPS rule with the SID turned off.

You can create as many IPS policies as you want, then reference them in different rules.

That way you can still have inspection on your SQL server for the other SID's.

netcomms1
Level 1
Level 1

This hasn't worked for me despite enabling new access rule with "Trust" action and no IPS policy applied. I've also White-listed the IP, but still seeing the Trusted IP registered in several Intrusion Event entries for SQL Injection attack and much more. 

I'll appreciate suggestions to resolve this as it's generating lots of Intrusion events False Positives.

What if you just add a deny IP_SRC IP_DST on the ACL used by SFR on the ASA policy-map?
Review Cisco Networking for a $25 gift card