Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
717
Views
0
Helpful
2
Replies

rule writing help for Cisco Firepower Management Center

Go to solution
jeff_baptiste
Level 1
Level 1

‎03-07-2017 08:36 AM - edited ‎03-10-2019 06:47 AM

I have some vulnerability scanners that are hitting my load-balancers. The load-balancers are SNATing the connections. So Firepower sees the sources as the Load-balancers going to various destination on my network. However, in the packet, I see the Original Client IP (X-Forwarded-For header). I am trying to find a way that I can trust this connection as long as I see that scanner IP in the packet. Is there a way that I can do this either through Rule-writing or Access control rules?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎03-10-2017 12:47 PM

Hello,

Not an expert in Firepower but trying to help.

For the x-forwarded-for criteria, you can use 'original client' option instead of source ip address.

When you edit the rule, under 'Networks', check under the source Networks, there is a tab for 'Original Client' which is referred to 'X-Forwarded-For'

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html

Then you can use that criteria to Trust the traffic.

HTH

-

AJ

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ajay Saini
Level 7
Level 7

‎03-10-2017 12:47 PM

Hello,

Not an expert in Firepower but trying to help.

For the x-forwarded-for criteria, you can use 'original client' option instead of source ip address.

When you edit the rule, under 'Networks', check under the source Networks, there is a tab for 'Original Client' which is referred to 'X-Forwarded-For'

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Events.html

Then you can use that criteria to Trust the traffic.

HTH

-

AJ

0 Helpful

Go to solution
jeff_baptiste
Level 1
Level 1
In response to Ajay Saini

‎03-10-2017 01:13 PM

I didn't see that Original Client tab. This will help me greatly. Thank you very much for pointing me to it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card