cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

492
Views
10
Helpful
4
Replies
Chess_N
Beginner

IP whitelisting

Hi,

I want to whitelist a scanner host on our network that is triggering lots of intrusion events.

I tried to right-click the IP address and the select "Whitelist IP now",  and it puts the IP in the Global-Whitelist, but intrusion events are still getting triggered.

Do I need to do a deploy after adding it to the Whitelist? Also, since the Whitelist seems to be for security Intelligence events and this is an intrusion events, should I use a trust rule in the ACP instead?

Thanks

/Chess

1 ACCEPTED SOLUTION

Accepted Solutions
Milos_Jovanovic
Collaborator

Hi @Chess_N,

Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.

Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.

BR,

Milos

View solution in original post

4 REPLIES 4
Milos_Jovanovic
Collaborator

Hi @Chess_N,

Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.

Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.

BR,

Milos

View solution in original post

Chess_N
Beginner

Thanks you @Milos_Jovanovic The host is running a security product called Rapid7 and it's scanning hosts between different security zones. This is a FTD device so I'll have a look at using a Prefilter policy,

 

Best regards

/Jorgen

Yes, you should deploy it in Prefilter policy then.

However, consider placing scanner in the inside zone. I managed to find this document for Rapid7 deployment, in which it states what I already mentioned - you should place scanner so that it doesn't pass firewall. This would potentially save you a headeache.

BR,

Milos

Chess_N
Beginner

@Milos_Jovanovic Thanks for the document. 

Create
Recognize Your Peers
Content for Community-Ad