How to Add Exempt IP Addresses from the Threat Monitor Logs

by nato on ‎06-14-2013 01:50 PM - edited on ‎08-18-2017 02:42 AM by Lucky (24,723 Views)

Overview

This document describes the steps to add an Exempt IP address for a specific threat.

 

Steps

  1. Navigate to Monitor > Logs > Threat
    6-14-2013 1-53-29 PM.png

  2. Click on the target threat name. This is the threat for which the exempt IP addresses are to be added.
    6-14-2013 1-54-51 PM.png
  3. Make sure there is a vulnerability profile associated with a security policy. In this example, the 'test123' vulnerability profile has been applied. At this point, check the box to highlight the profile and add the IP address (as shown in the image below). Click OK.
    Note: The IP address can be the Victim or Attacker (source address or destination address ) as shown in the following logs.
    6-14-2013 1-57-17 PM.png

  4. Confirm the updates by going to the vulnerability profile and clicking on the exceptions tab. From there, click on the 'IP Address Exemptions" applet, as shown below, to verify the changes.
    6-14-2013 1-58-55 PM.png

  5. After you verified changes and confirmed IP addresses of hosts are entered correctly, click OK, OK, and Commit this change to Firewall. From now on, traffic to hosts behind IP address(es) added to the list of Exempt IP addresses will not trigger this vulnerability in this security rule. Traffic to all other IP addresses, or traffic hitting different security rule, will still trigger vulnerability action as defined in that security policy.
Comments
by bbarrett_hollister
on ‎05-01-2014 02:31 PM

Thanks for writing this up.  Definitely saves me a bit of time with tuning.

by javery
on ‎05-15-2014 04:44 PM

Step 3 to the 2nd part of above: Change the "default" Action under the exempted threat ID, the default is typically overridden by the "Action" specified in the "Rules" tab. But to actually "ignore/not log/allow" based on the exempted IP list, the "Action" in the Exempt list should be changed to "allow".

by dtickoo
on ‎05-27-2014 04:32 PM

Following are the CLI command to exempt an IP address from a threat :


In this example I am exempting IP addresses 1.1.1.1 and 2.2.2.2 for a spyware ID 4095560 for Anti-Spyware profile "strict-1":

admin@Dheeraj> configure

admin@Dheeraj# set profiles spyware strict-1 threat-exception 4095560 exempt-ip 1.1.1.1

admin@Dheeraj# set profiles spyware strict-1 threat-exception 4095560 exempt-ip 2.2.2.2

admin@Dheeraj# commit

- To View the added IP exceptions:


admin@Dheeraj# show profiles spyware strict-1 threat-exception

threat-exception {

  4095560 {

    exempt-ip {

      1.1.1.1;

      2.2.2.2;

    }

  }

}

- To delete the added IP exceptions:

admin@Dheeraj# delete profiles spyware strict-1 threat-exception 4095560 exempt-ip 1.1.1.1

admin@Dheeraj# delete profiles spyware strict-1 threat-exception 4095560 exempt-ip 2.2.2.2

admin@Dheeraj# commit

by skansara
on ‎07-16-2014 03:34 PM

Is there is any wildcard threat id  which can be used to  exempt ip across all defined threats.  This way, one can use single command to bypass ip across all threats.  I need to exempt bunch of scan servers (40)  from triggering any threats

by pulukas
on ‎07-16-2014 03:37 PM

skansara - to completely exempt a group of servers you simple solution is to write a rule above the scan rule that has not threat profile at all and only targets the affected server ip addresses.

by skansara
on ‎07-16-2014 03:49 PM

Steven,

Thx for prompt response.  This was already suggested to client however client has concerns that adding security rule may give additional access to scan servers

by tgarsiot
on ‎08-27-2014 08:37 AM

Thanks Nato.  Very useful post.

You mention "The IP address can be the Victim or Attacker".  Does that mean that if we had an exemption, any traffic that matches this IP as either source or destination will not be compared with this signature ?

Thanks.

by Lee_H
on ‎10-24-2016 10:16 AM

This is an older post, however, its been a little time and the 'title' has specific bearing on my question.  Based on the title "How to Add Exempt IP Addresses from the Threat Monitor Logs", the described solution achieves this with an individual exception per threat rule which prevents protection to achieve a "How to Exempt IP from the Threat Monitor Logs".

 

My question is in regards to pen testing our enclave.  I have a pen-testing entity that routinely scans our enclave for thousands of vulnerabilities per IP.   Even if a wildcard existed or was possible to be used, it changes the scan results.   So, I do not want to exempt a dest IP from protection by using an exception or changing the Action on the Vuln Protection Profile.  I just want to provide the same protection without the bloat in my threat-log from all the scanning.  Is there a way to exempt an IP/subnet to prevent a threat-log entry from being written to the threat-log without exempting the target from protection?   

by
on ‎10-24-2016 01:57 PM

To @tgarsiot 

Sorry for the late reply.

The Excempt IP address will be excluded from that single signature. All other signatures will be in use.

 

To @Lee_H,

Please allow me to restate your question:

You want to allow all protection on a specific IP address, but you would like to supress all of the logging for that one IP? 
This is not an option at this point. You might want to talk with your local SE and talk with him about putting in a Feature Request for this option.

by DrewDixon
‎12-01-2016 08:34 AM - edited ‎12-01-2016 08:35 AM

To Lee_H,

Please allow me to restate your question:

You want to allow all protection on a specific IP address, but you would like to supress all of the logging for that one IP? 
This is not an option at this point. You might want to talk with your local SE and talk with him about putting in a Feature Request for this option.

 

@jdelio

I really don't see a reason why this isn't already a feature, really seems simple enough and like a bare necessity...nearly every organization has vulnerability scanners etc. that need to be excluded from vulnerability protection.  Security teams have enough noise to deal with...we don't want the extra noise/logs when we scan for vulns. on a monthly basis etc.  Adding an exclusion for each vulnerability scanner for every single explicit threat ID is not even an option, that would be an insane amount of time to configure and impossible to maintain... Could someone maybe check to see if there is already a feature request that's been submitted for this?  You can add at least two customers to it if there is, or maybe create the feature request for us?  

 

Thank you,

 

-Drew

by Lee_H
on ‎12-01-2016 09:09 AM

To @jdelio

 

No, please don't restate that way.   I want to suppress all threat logging generated by a specific source IP, not the destination IP.

 

Thanks,

 

Lee

by DrewDixon
on ‎12-01-2016 09:24 AM

@Lee_H That's exactly what I want.  Maybe the way @jdelio restated it was incorrect and I missed that, if so, my mistake- but I also want to suppress all threat logging generated by specific source IP's, particularly Vulnerability Protection logging hits/logs that are being logged unnecessarily when our monthly vulnerability scanner runs.

by
on ‎12-01-2016 11:13 AM

@DrewDixon,

I wish that I had the ability to view or add to the Feature Request list, but I do not.  And I also want to echo what you said, that this is a feature that has value, but your Sales Engineer would be the one that can check and or create this feature request for you as they talk directly with the Program Managers and present to them what the customers are asking for.

 

If there is anything else I can help with, I want to, so please let me know.

Ignite 2018
Ask Questions Get Answers Join the Live Community
Contributors