Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8133
Views
5
Helpful
5
Replies

Firepower how to exclude a single IP from a single rule?

Not applicable

‎08-10-2017 08:39 AM - last edited on ‎03-12-2019 06:29 AM by

How do you allow a single IP to by pass a single rule?   I see an alert that is associated with a SQL injection.  I know that the source and destination IP and port are 100% legit.  I want to exclude this single rule for the source and destination and not exclude the IPs from any other rules.  I am having a hard time finding out if this can be done.   

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Dinesh Verma
Cisco Employee
Cisco Employee

‎08-10-2017 06:45 PM

Hi Kenn,

If you're talking about the intrusion event then you can add the suppression for that particular IP. Attached is the screenshot for the same.

Hope this helps.

Regards,

Dv

Preview file
455 KB

JustSomeNetworkGuy
Level 1
Level 1
In response to Dinesh Verma

‎03-27-2018 10:57 AM

@Dinesh Verma are you really a Cisco employee or is that some sort hack you did? I can't believe someone would mislead someone like you did here. That's extremely disturbing and I've reported your post.

 

To the op: A suppression would actually cause you even more trouble - your traffic would still be blocked, and you would now have no alerting for it! Not only that, it creates extra work Snort. What you need to do is either create a "Pass Rule" or modify your Access Control Policy to have a rule to pass this traffic without inspection.

0 Helpful

argrullo
Cisco Employee
Cisco Employee

‎03-27-2018 12:05 PM

Hello Team,

You could also create a new access control rule for the IP, then in the Inspection portion of the rule, reference a new IPS rule with the SID turned off.

You can create as many IPS policies as you want, then reference them in different rules.

That way you can still have inspection on your SQL server for the other SID's.
0 Helpful

netcomms1
Level 1
Level 1

‎06-26-2018 05:51 PM

This hasn't worked for me despite enabling new access rule with "Trust" action and no IPS policy applied. I've also White-listed the IP, but still seeing the Trusted IP registered in several Intrusion Event entries for SQL Injection attack and much more. 

I'll appreciate suggestions to resolve this as it's generating lots of Intrusion events False Positives.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to netcomms1

‎06-27-2018 10:38 PM

What if you just add a deny IP_SRC IP_DST on the ACL used by SFR on the ASA policy-map?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card