03-07-2017 08:36 AM - edited 03-10-2019 06:47 AM
I have some vulnerability scanners that are hitting my load-balancers. The load-balancers are SNATing the connections. So Firepower sees the sources as the Load-balancers going to various destination on my network. However, in the packet, I see the Original Client IP (X-Forwarded-For header). I am trying to find a way that I can trust this connection as long as I see that scanner IP in the packet. Is there a way that I can do this either through Rule-writing or Access control rules?
Solved! Go to Solution.
03-10-2017 12:47 PM
Hello,
Not an expert in Firepower but trying to help.
For the x-forwarded-for criteria, you can use 'original client' option instead of source ip address.
When you edit the rule, under 'Networks', check under the source Networks, there is a tab for 'Original Client' which is referred to 'X-Forwarded-For'
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html
Then you can use that criteria to Trust the traffic.
HTH
-
AJ
03-10-2017 12:47 PM
Hello,
Not an expert in Firepower but trying to help.
For the x-forwarded-for criteria, you can use 'original client' option instead of source ip address.
When you edit the rule, under 'Networks', check under the source Networks, there is a tab for 'Original Client' which is referred to 'X-Forwarded-For'
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html
Then you can use that criteria to Trust the traffic.
HTH
-
AJ
03-10-2017 01:13 PM
I didn't see that Original Client tab. This will help me greatly. Thank you very much for pointing me to it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide