Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3314
Views
10
Helpful
4
Replies

IP whitelisting

Go to solution
Chess_N
Level 1
Level 1

‎09-03-2021 10:10 AM - edited ‎09-03-2021 12:47 PM

Hi,

I want to whitelist a scanner host on our network that is triggering lots of intrusion events.

I tried to right-click the IP address and the select "Whitelist IP now",  and it puts the IP in the Global-Whitelist, but intrusion events are still getting triggered.

Do I need to do a deploy after adding it to the Whitelist? Also, since the Whitelist seems to be for security Intelligence events and this is an intrusion events, should I use a trust rule in the ACP instead?

Thanks

/Chess

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-03-2021 11:02 PM - edited ‎09-03-2021 11:02 PM

Hi @Chess_N,

Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.

Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.

BR,

Milos

View solution in original post

4 Replies 4

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎09-03-2021 11:02 PM - edited ‎09-03-2021 11:02 PM

Hi @Chess_N,

Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.

Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.

BR,

Milos

Go to solution
Chess_N
Level 1
Level 1

‎09-04-2021 02:31 AM

Thanks you @Milos_Jovanovic The host is running a security product called Rapid7 and it's scanning hosts between different security zones. This is a FTD device so I'll have a look at using a Prefilter policy,

 

Best regards

/Jorgen

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Chess_N

‎09-04-2021 01:11 PM

Yes, you should deploy it in Prefilter policy then.

However, consider placing scanner in the inside zone. I managed to find this document for Rapid7 deployment, in which it states what I already mentioned - you should place scanner so that it doesn't pass firewall. This would potentially save you a headeache.

BR,

Milos

Go to solution
Chess_N
Level 1
Level 1

‎09-05-2021 07:13 AM

@Milos_Jovanovic Thanks for the document. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card