Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jacek1
New Contributor

Whitelisting of the internal vulnerability scanner

Hello everyone, our infrastructure has vulnerability scanners that actively investigate and try to exploit systems, users are alerted, we get a lot of logs from it. Is it possible to add a specific IP address of this scanner to the whitelist so that users do not get an alert? Other alerts that may be true should stay. How to do that?

6 REPLIES 6
seshuganesh
Staff
Staff

Hi Team,

 

For the vulnerability scanners you can create plain firewall policy on top with no UTM profiles, so that UTM profiles will not generate alerts.

If my understanding is wrong, please explain issue in detail.

Jacek1

Unfortunately, it did not help.

70f1810c-42c5-4291-bb57-13bdfba0e6ab.png

Debbie_FTNT

Hey Jacek,

seshuganesh's comment was for FortiGate settings; we assumed that your FortiGate is blocking/alerting/logging the vulnerability scanner, not FortiClient.

 

From the screenshot, it's the FortiClient's application firewall that's blocking the scanner and notifying the user.

I'm not an expert in FortiClient, but as far as I have been able to find, you should be able to add an application override for the 'Gnutella_Download' application to allow it (the application firewall profile would need to be edited on EMS). You would need to generate/get a signature for that application, which I don't know how to do, my apologies.

If the pop-up is the primary issue, you can disable those notifications in the EMS application firewall profile, though the actual functionality (blocking the application) would still happen.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jacek1

Unfortunately that's impossible, you're right it's forticlient, sorry. I need to block alerts from a specific IP address because the scanner uses many different exploitation attempts and there are plenty of these application names. Also, if there was an exploitation attempt blocked by forticlient but not from my scanner, I'd like to know about it. I need to filter out alerts from a specific IP address, such an exception.

Jacek1
New Contributor

Does anybody have an idea? 

Muhammad_Haiqal

Hi Jacek1.

Looking at this error, the action has been done on the Forticlient. Not on the Fortigate. On Forticlient, please whitelist this app.

haiqal