Vulnerability Scanner IPS Bypass

Question

Hi everyone,I've got a 600D that is used at a DC and a 300C that's used at the remote sites. The issue I'm running into is my vulnerability scanner is being stopped by the IPS, obviously, defeating the purpose. The scanner resides at the DC and scans the pcs on the LAN at the remote sites.  How would I go about creating an exclusion for my scanner? Thanks!

Kenundrum · Accepted Answer

I have a few rules set up like this and it works well. You should make sure you also turn off logging on that rule because it will just clog up whatever you're logging to with useless connection requests, etc.

For extra warm and fuzzy feelings, I also added device authentication to the rules where possible and also either setting a schedule that corresponds to the scanner schedule or just turning off the rule when not in use. That would authenticate the ip and the mac address of the device doing the scanning and limit the time when a fully open rule is allowed through the network.

In your case it looks like the device authentication wouldn't work because the source and destination are probably on different L2 networks so your last hop firewall would only see the mac address of the previous network device as opposed to the source computer.

FatalHalt · Answer

Hey Wyoguy,

Most straightforward way to do this will be to create a new policy for your scanner that is checked before the policy containing IPS scanning.

To do this, make an address object for the IP(s) of your scanner. Then make a new policy allowing that IP to get to whatever devices it needs to scan. Don't enable any UTM on the policy. Once you've created it, you can drag and drop the new policy above the old one that contains the IPS.

Hope this helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded