09-03-2021 10:10 AM - edited 09-03-2021 12:47 PM
Hi,
I want to whitelist a scanner host on our network that is triggering lots of intrusion events.
I tried to right-click the IP address and the select "Whitelist IP now", and it puts the IP in the Global-Whitelist, but intrusion events are still getting triggered.
Do I need to do a deploy after adding it to the Whitelist? Also, since the Whitelist seems to be for security Intelligence events and this is an intrusion events, should I use a trust rule in the ACP instead?
Thanks
/Chess
Solved! Go to Solution.
09-03-2021 11:02 PM - edited 09-03-2021 11:02 PM
Hi @Chess_N,
Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.
Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.
BR,
Milos
09-03-2021 11:02 PM - edited 09-03-2021 11:02 PM
Hi @Chess_N,
Normally, scanners are not meant to be placed behind FW. One of the reason is what you realized yourself - it triggers alarms. Another and very important reason is that scanners are triggering many connections on multiple IPs (depending on scan type), which can impact FW performance (connection table if filling rapidly, CPU is spiking as it has to process more connections). Most (if not all) scanner configuration guides are talking explicitly not to place scanner behind FW.
Now, if you still want to do this, and assuming you are using FTD, I would advise placing this host in Prefilter policy, as it was designed for these use cases - if you need to make decision on L3/L4 level, without deeper inspection. If you are running ASA with Firepower, simply exclude scanner IP from redirected traffic.
BR,
Milos
09-04-2021 02:31 AM
Thanks you @Milos_Jovanovic The host is running a security product called Rapid7 and it's scanning hosts between different security zones. This is a FTD device so I'll have a look at using a Prefilter policy,
Best regards
/Jorgen
09-04-2021 01:11 PM
Yes, you should deploy it in Prefilter policy then.
However, consider placing scanner in the inside zone. I managed to find this document for Rapid7 deployment, in which it states what I already mentioned - you should place scanner so that it doesn't pass firewall. This would potentially save you a headeache.
BR,
Milos
09-05-2021 07:13 AM
@Milos_Jovanovic Thanks for the document.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide