Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1615
Views
0
Helpful
1
Replies

Need Help Whitelisting VM Scanning

kyle.brearley
Level 1
Level 1

‎06-27-2016 11:30 AM - edited ‎03-10-2019 06:38 AM

I have internal Qualys vulnerability scans which target systems inside my web DMZ.  Once my AMP 8150 IPS devices see the traffic it appears to be coming from a x-forwarded IP address on our load balancers.  Two things I can see when I analyze the packets on the IPS are:

1. You can see the 'X-Forwarded-For' IP address is in fact the IP address of the Qualys scanner. 

2. We append the text into the packets: 'Qualys-Scan: VM'

What are my options for not generating intrusion events for this traffic?  My hope was to look at the 'X-Forwarded-For' address and whitelist based on that, but it seems like that may not be possible on the Sourcefire platform(?).  Any ideas? 

Thanks in advance

Labels:
0 Helpful
1 Reply 1

Ed Padilla Jr
Level 1
Level 1

‎06-30-2016 01:29 PM

Yes. On your Access Control Policy, create a rule to "Trust" that traffic Source and/or destination.  Make sure you enable logging so that can search or validate has been Trust (do not inspect).

0 Helpful
Review Cisco Networking for a $25 gift card
Top