Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSA 4.0.3 Exempt certain IPs from being detected as source of port scanning

We have an in-house vulnerability scanner that regularly

does port scans and we don't want to see events when the source IP is from the vulnerability scanner.

We tried a network access rule but it dose not work.

1) Network Shim is enabled

2) Network shield rule with Port scan detection is enabled.

3) Global correlation for scans is set to 100 within 60 minutes.

Basically we want to keep detecting port scans except scans from a specific IP.

2 REPLIES
Silver

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

Can you send me a screen shot of the NACL rule you created? Perhaps you didn't set the parameters correctly.

jay.walker@swinc.com

Community Member

Re: CSA 4.0.3 Exempt certain IPs from being detected as source o

Thanks Jay for your offer. The thing is NACL does not work in 4.0.x

Here is TAC responce for later versions (4.5.x or 5.x):

"It is possible to do this by changing the field "Commuincating with host

addresses" in the network shield rule. There are 2 ways to do this.

1. Create an exception rule. The exception rule is of type 'Network

Shield Rule'. Make it's action 'permit'. Click Port Scan Detection to

enable it. Include the ip address of the port scanner device in

"Communicating with host addresses".

or

2. Modify the original Network Shield Rule (the one with the deny

action). Next to "Communicating with host addresses", click 'Insert

Network Address Set', and click 'New'. In the new window,name the

network address set. Leave the "Address ranges matching" to and

change "but not:" to the ip address of the port scanner. Then click

'save'. Make sure that the Network Shield rule now contains your

Network address set under "Communicating with host addresses".

We typically recommend using method 1 because it prevents you from

having to modify the default rule set. But pick the method that works

best for your configuration."

I have to find away without upgrading.

135
Views
5
Helpful
2
Replies
CreatePlease to create content