Hi everyone,
I've got a 600D that is used at a DC and a 300C that's used at the remote sites. The issue I'm running into is my vulnerability scanner is being stopped by the IPS, obviously, defeating the purpose. The scanner resides at the DC and scans the pcs on the LAN at the remote sites.
How would I go about creating an exclusion for my scanner?
Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Wyoguy,
Most straightforward way to do this will be to create a new policy for your scanner that is checked before the policy containing IPS scanning.
To do this, make an address object for the IP(s) of your scanner. Then make a new policy allowing that IP to get to whatever devices it needs to scan. Don't enable any UTM on the policy. Once you've created it, you can drag and drop the new policy above the old one that contains the IPS.
Hope this helps!
I have a few rules set up like this and it works well. You should make sure you also turn off logging on that rule because it will just clog up whatever you're logging to with useless connection requests, etc.
For extra warm and fuzzy feelings, I also added device authentication to the rules where possible and also either setting a schedule that corresponds to the scanner schedule or just turning off the rule when not in use. That would authenticate the ip and the mac address of the device doing the scanning and limit the time when a fully open rule is allowed through the network.
In your case it looks like the device authentication wouldn't work because the source and destination are probably on different L2 networks so your last hop firewall would only see the mac address of the previous network device as opposed to the source computer.
CISSP, NSE4
Hey Wyoguy,
Most straightforward way to do this will be to create a new policy for your scanner that is checked before the policy containing IPS scanning.
To do this, make an address object for the IP(s) of your scanner. Then make a new policy allowing that IP to get to whatever devices it needs to scan. Don't enable any UTM on the policy. Once you've created it, you can drag and drop the new policy above the old one that contains the IPS.
Hope this helps!
I'll give that a shot. Thanks so much for the help!
I have a few rules set up like this and it works well. You should make sure you also turn off logging on that rule because it will just clog up whatever you're logging to with useless connection requests, etc.
For extra warm and fuzzy feelings, I also added device authentication to the rules where possible and also either setting a schedule that corresponds to the scanner schedule or just turning off the rule when not in use. That would authenticate the ip and the mac address of the device doing the scanning and limit the time when a fully open rule is allowed through the network.
In your case it looks like the device authentication wouldn't work because the source and destination are probably on different L2 networks so your last hop firewall would only see the mac address of the previous network device as opposed to the source computer.
CISSP, NSE4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.