Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4529
Views
0
Helpful
3
Replies

Whitelist IP address in IPS Policy

ChristopherCraddock66504
Level 1
Level 1

‎09-19-2022 06:06 AM - edited ‎09-19-2022 06:06 AM

Community,

In Firepower, is there a way to whitelist a specific IP address in the IPS policy so that the IPS policy does not inspect the traffic but where the IP is still subject to regular access control rules? A 3rd party wants to do external scans of our network and we were asked to white list their IP from IPS inspection but still have the IP be subject to the regular permit/deny statements. So if their IP is permitted by the rule, their traffic wont be inspected by the IPS policy applied to the rule. Is this possible?

 

Thanks!

2 people had this problem
0 Helpful
3 Replies 3

betliu
Cisco Employee
Cisco Employee

‎10-08-2022 11:22 PM - edited ‎10-09-2022 12:04 AM

You have some ways to whitelist an IP address to bypass the IPs rule:

First way:

1) go to Analysis > Security Intelligent Events

2) To Whitelist an IP address (previously Blacklisted), go to Security Intelligence Events > click a specific Blacklisted Responder IP > right-click > Whitelist IP Now.

3) Click White List Now to confirm the selected IP.

4) You can verify the Whitelist IPs under Objects > Security Intelligence > Network Lists and Feed > edit Global-Whitelist. The Whitelist immediately took effect without Saving.

5) Verify under Analysis > Connections > Events (normal Events) and notice the Whitelisted public IPs are now Trusted (at the very bottom).

Second way:

1) or you can Whitelist on ACP > SI

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Security_Intelligence_Blacklisting.html#concept_E1A096B925014F508354F38675BC538F

2) and then Deploy.

Third Way:

1) go to Analysis > Intrusion Events > Table view of evens

2) To Whitelist an IP address (previously Blocked by the IPs rule), right click the IP address and click 'edit rule'

3) Set 'Action' as 'Pass', set 'Source IP' as the specific IP address you want to bypass this IPs rule

4) Click 'Save as new' button at the bottom of this window, and copy the new IPs rule ID on the right top of the window

5) Go to Policy> Intrusion> Rule> Filter, Search by the new IPs rule generated in the Step 4

6) Click the rule and then click the button 'Rule State' on the right top corner

7) Set this rule to 'generate events'

 

 

0 Helpful

tvotna
Spotlight
Spotlight
In response to betliu

‎10-09-2022 09:26 AM

@betliu, are you saying that whitelisting an IP address in Security Intelligence also prevents corresponding traffic from being inspected by Intrusion Policy Rules?

 

@ChristopherCraddock66504, I guess you need to use Variable Sets: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/reusable_objects.html#ID-2243-00000521. Most (but to the best of my knowledge not all) Snort2 signatures are written to trigger for traffic matching $EXTERNAL_NET -> $HOME_NET condition. You can exclude your scanhost IP from $EXTERNAL_NET the same way as you typically exclude $HOME_NET from $EXTERNAL_NET. Objects > Default-Set is the default Variable Set, unless you created your own Variable Set and specified it when linking Intrusion Policy to Access Control Policy rules.
 

 

0 Helpful

goudier2001
Level 1
Level 1

‎11-03-2023 10:27 AM

Did you get a solution for your question as I have the same requirement?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card