cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2822
Views
0
Helpful
3
Replies

Whitelist IP address in IPS Policy

Community,

In Firepower, is there a way to whitelist a specific IP address in the IPS policy so that the IPS policy does not inspect the traffic but where the IP is still subject to regular access control rules? A 3rd party wants to do external scans of our network and we were asked to white list their IP from IPS inspection but still have the IP be subject to the regular permit/deny statements. So if their IP is permitted by the rule, their traffic wont be inspected by the IPS policy applied to the rule. Is this possible?

 

Thanks!

3 Replies 3

betliu
Cisco Employee
Cisco Employee

You have some ways to whitelist an IP address to bypass the IPs rule:

First way:

1) go to Analysis > Security Intelligent Events

2) To Whitelist an IP address (previously Blacklisted), go to Security Intelligence Events > click a specific Blacklisted Responder IP > right-click > Whitelist IP Now.

3) Click White List Now to confirm the selected IP.

4) You can verify the Whitelist IPs under Objects > Security Intelligence > Network Lists and Feed > edit Global-Whitelist. The Whitelist immediately took effect without Saving.

5) Verify under Analysis > Connections > Events (normal Events) and notice the Whitelisted public IPs are now Trusted (at the very bottom).

Second way:

1) or you can Whitelist on ACP > SI

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html#concept_E1A096B925014F508354F38675BC538F

2) and then Deploy.

Third Way:

1) go to Analysis > Intrusion Events > Table view of evens

2) To Whitelist an IP address (previously Blocked by the IPs rule), right click the IP address and click 'edit rule'

3) Set 'Action' as 'Pass', set 'Source IP' as the specific IP address you want to bypass this IPs rule

4) Click 'Save as new' button at the bottom of this window, and copy the new IPs rule ID on the right top of the window

5) Go to Policy> Intrusion> Rule> Filter, Search by the new IPs rule generated in the Step 4

6) Click the rule and then click the button 'Rule State' on the right top corner

7) Set this rule to 'generate events'

 

 

@betliu, are you saying that whitelisting an IP address in Security Intelligence also prevents corresponding traffic from being inspected by Intrusion Policy Rules?

 

@ChristopherCraddock66504, I guess you need to use Variable Sets: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/reusable_objects.html#ID-2243-00000521. Most (but to the best of my knowledge not all) Snort2 signatures are written to trigger for traffic matching $EXTERNAL_NET -> $HOME_NET condition. You can exclude your scanhost IP from $EXTERNAL_NET the same way as you typically exclude $HOME_NET from $EXTERNAL_NET. Objects > Default-Set is the default Variable Set, unless you created your own Variable Set and specified it when linking Intrusion Policy to Access Control Policy rules.
 

 

goudier2001
Level 1
Level 1

Did you get a solution for your question as I have the same requirement?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: