Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wyoguy684437
New Contributor

Vulnerability Scanner IPS Bypass

Hi everyone,

I've got a 600D that is used at a DC and a 300C that's used at the remote sites. The issue I'm running into is my vulnerability scanner is being stopped by the IPS, obviously, defeating the purpose. The scanner resides at the DC and scans the pcs on the LAN at the remote sites. 

 

How would I go about creating an exclusion for my scanner?

 

Thanks!

2 Solutions
FatalHalt
Contributor II

Hey Wyoguy,

 

Most straightforward way to do this will be to create a new policy for your scanner that is checked before the policy containing IPS scanning. 

 

To do this, make an address object for the IP(s) of your scanner. Then make a new policy allowing that IP to get to whatever devices it needs to scan. Don't enable any UTM on the policy. Once you've created it, you can drag and drop the new policy above the old one that contains the IPS.

 

Hope this helps!

View solution in original post

Kenundrum
Contributor III

I have a few rules set up like this and it works well. You should make sure you also turn off logging on that rule because it will just clog up whatever you're logging to with useless connection requests, etc.

For extra warm and fuzzy feelings, I also added device authentication to the rules where possible and also either setting a schedule that corresponds to the scanner schedule or just turning off the rule when not in use. That would authenticate the ip and the mac address of the device doing the scanning and limit the time when a fully open rule is allowed through the network.

In your case it looks like the device authentication wouldn't work because the source and destination are probably on different L2 networks so your last hop firewall would only see the mac address of the previous network device as opposed to the source computer.

CISSP, NSE4

 

View solution in original post

CISSP, NSE4
3 REPLIES 3
FatalHalt
Contributor II

Hey Wyoguy,

 

Most straightforward way to do this will be to create a new policy for your scanner that is checked before the policy containing IPS scanning. 

 

To do this, make an address object for the IP(s) of your scanner. Then make a new policy allowing that IP to get to whatever devices it needs to scan. Don't enable any UTM on the policy. Once you've created it, you can drag and drop the new policy above the old one that contains the IPS.

 

Hope this helps!

wyoguy684437

I'll give that a shot. Thanks so much for the help!

Kenundrum
Contributor III

I have a few rules set up like this and it works well. You should make sure you also turn off logging on that rule because it will just clog up whatever you're logging to with useless connection requests, etc.

For extra warm and fuzzy feelings, I also added device authentication to the rules where possible and also either setting a schedule that corresponds to the scanner schedule or just turning off the rule when not in use. That would authenticate the ip and the mac address of the device doing the scanning and limit the time when a fully open rule is allowed through the network.

In your case it looks like the device authentication wouldn't work because the source and destination are probably on different L2 networks so your last hop firewall would only see the mac address of the previous network device as opposed to the source computer.

CISSP, NSE4

 

CISSP, NSE4
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors