Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
2
Helpful
6
Replies

Cisco FTD - How to bypass traffic Inspection

goudier2001
Level 1
Level 1

‎11-03-2023 03:03 AM

I have a requirement to bypass traffic inspection or whitelist ip addresses to allow pen testing to take place on our external IP address range. Previously achieved this using service policy on ASA's. With FTD's is the best option to use pre-filters or something else?

 

 

0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-03-2023 06:02 AM - edited ‎11-03-2023 09:11 AM

Prefilter policy rule for the eternal source IP with action = fastpath will exempt it from rules in the ACP.

However, I submit that's not a good pen test since you are allowing pen testing with one of your primary defenses turned off.

 

(edited to correct action = fastpath)

0 Helpful

goudier2001
Level 1
Level 1
In response to Marvin Rhoads

‎11-03-2023 06:52 AM

Hi Marvin, If I was to use a prefilter rule would fastpath not be better as I need to bypass IPS/Snort? Also would adding the external IP's to the SI whitelist achieve the same result of bypassing IPS/Snort?

 

I agree with you regards allowing testing with IPS is an odd approach. 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to goudier2001

‎11-03-2023 09:11 AM - edited ‎11-03-2023 09:12 AM

Sorry, you are right - I should have said fastpath. I edited my earlier reply to make that correction.

SI whitelist just means to exclude the scanner from any SI rule that it may have otherwise hit. Snort continues to evaluate it against and subsequent rules, Intrusion policy, etc.

FTD OOO - courtesy of Nazmul RajibFTD OOO - courtesy of Nazmul Rajib

0 Helpful

goudier2001
Level 1
Level 1
In response to Marvin Rhoads

‎11-04-2023 05:22 AM

Thanks Marvin, I would still need the traffic to be subject to the regular permit/deny ACL's and only require the IP's from the company that is scanning the network to be excluded from the IPS policy. So I'm thinking that using prefilter/fastpath wouldn't now be the answer. You think using variable set and excluding the IP's is better solution like Massimo mentions?

MHM Cisco World
VIP
VIP
In response to goudier2001

‎11-04-2023 05:40 AM

you can config ACP with trust this make traffic 
pass fastpath to ACP ACL L3/L4 and trust without more inspect by IPS/Snort. 
if it not trust then it will go farther to inspect by IPS/Snort.

Thanks A Lot
MHM

0 Helpful

Massimo Baschieri
Level 3
Level 3

‎11-03-2023 11:13 PM

Exclude those IPs on the variable set applied to the relevent rules, it works like a charm.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card