Solved: FMC Variable Set

dcanady55 · ‎06-12-2023

Hello,

I have a situation where employees out on VPN interact with a shared drive on the inside of our network, and the IPS is constantly flagging it as the following: I thought my variable set would fix the issue, as my VPN network is defined inside the Home Network variable and Home Network is excluded within the External Network variable. How do I go about whitelisting this traffic, or is the best route to suppress it under the alert configuration of that specific rule?

gid:133; sid:59; rev:2; msg:"(dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary

Thanks,

Sheraz.Salim · ‎06-12-2023

In given case if IPS is giving warnings about the file sharing between employees on VPN and the shared drive inside your company's network. There are two options which I think fit in your suitation.

if using FMC go to "Policies" section and select IPS policy which rule causing the warning. Find the ( identification number like gid:133, sid:59) specific rule that is triggering the warning. Here change this rule to make exception for the file sharing traffic between the VPN Tunnel Network and the shared drive. Save the changes and apply the IPS policy and test.

using this method the traffic/the IPS will skip checking it according to this specific rule. This will allow the VPN users to share files with the shared drive without generating any warnings/alerts.

The second option is to Alert suppression, If you still want the IPS to inspect the file sharing traffic but don't want the warning to appear, you can suppress that particular warning generated by the IPS rule. Locate the specific rule (with an identification number like gid:133, sid:59) that triggers the warning. Modify the rule and configure the settings to suppress the warning. By suppressing the warning for this rule, the IPS will still examine the file sharing traffic, but it won't give a warning specifically for this event.Save the changes and apply the IPS policy and test.

Third option is to create ACP (access-list, source network and destination network [vpn-tunnel ip address/es and shared drive ip address/es] as "Trust" instead of "ALLOW". Just make sure your trust rule is on the top of the access-list.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎06-12-2023

In given case if IPS is giving warnings about the file sharing between employees on VPN and the shared drive inside your company's network. There are two options which I think fit in your suitation.

if using FMC go to "Policies" section and select IPS policy which rule causing the warning. Find the ( identification number like gid:133, sid:59) specific rule that is triggering the warning. Here change this rule to make exception for the file sharing traffic between the VPN Tunnel Network and the shared drive. Save the changes and apply the IPS policy and test.

using this method the traffic/the IPS will skip checking it according to this specific rule. This will allow the VPN users to share files with the shared drive without generating any warnings/alerts.

The second option is to Alert suppression, If you still want the IPS to inspect the file sharing traffic but don't want the warning to appear, you can suppress that particular warning generated by the IPS rule. Locate the specific rule (with an identification number like gid:133, sid:59) that triggers the warning. Modify the rule and configure the settings to suppress the warning. By suppressing the warning for this rule, the IPS will still examine the file sharing traffic, but it won't give a warning specifically for this event.Save the changes and apply the IPS policy and test.

Third option is to create ACP (access-list, source network and destination network [vpn-tunnel ip address/es and shared drive ip address/es] as "Trust" instead of "ALLOW". Just make sure your trust rule is on the top of the access-list.

please do not forget to rate.