Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
1
Replies

Override manual shun with network object group?

support.c
Level 1
Level 1

‎09-07-2017 10:59 AM - edited ‎02-21-2020 06:16 AM

Is there a way to override a manual shun with an object group (or otherwise)?

I have found that we can override an "automatic shun" using:

threat-detection scanning-threat shun except object-group no-shun

But, we are needing a way to override a priviledged user typing in:

shun <ip>

Won't get too deep into the unlying reasons for needing this... but, let's just say it's a way to keep legit IP addresses from getting blocked when they are mistaken for malicious IPs.

Any ideas?

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎09-07-2017 01:03 PM

Unfortunately there is no way to accomplish this. 

What I would suggest is to use a global ACL and then apply the exceptions there, without using the Shun command. 

 

Mike. 

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card