cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
2
Replies

How to only shun internal systems

chrisv
Level 1
Level 1

Is it possible to only shun systems originating from my own IP address range? In other words, not shun external attacks (yet).

And, how would I be able to do that?

Thank you.

2 Replies 2

grimish
Level 1
Level 1

This should be possible, by not specifying your internal net/ip in CSPM or the Director,

For example:

If you have a device such as a Proxy server which services outbound request to the net you can excluded this, so it is never shunned.

I think you might be able to do this, if you are shunning on a router.

You can set up a PreShunACL for the interface(s) where you are

shunning. In this ACL add entries allowing all packets that

originate from outside your network. ( The sensor shuns are

inserted into the interface ACL after the PreShunACL entries, and

the router will allow the packet before it encounters the shun entry ).

Caution is advised however, because allowing all outside traffic

may not be the policy you want to set on that interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: