How to Add Exempt IP Addresses from the Threat Monitor Logs

Printer Friendly Page

Overview

This document describes the steps to add an Exempt IP address for a specific threat.

 

Steps

  1. Navigate to Monitor > Logs > Threat
    6-14-2013 1-53-29 PM.png

  2. Click on the target threat name. This is the threat for which the exempt IP addresses are to be added.
    6-14-2013 1-54-51 PM.png
  3. Make sure there is a vulnerability profile associated with a security policy. In this example, the 'test123' vulnerability profile has been applied. At this point, check the box to highlight the profile and add the IP address (as shown in the image below). Click OK.
    Note: The IP address can be the Victim or Attacker (source address or destination address ) as shown in the following logs.
    6-14-2013 1-57-17 PM.png

  4. Confirm the updates by going to the vulnerability profile and clicking on the exceptions tab. From there, click on the 'IP Address Exemptions" applet, as shown below, to verify the changes.
    6-14-2013 1-58-55 PM.png

  5. After you verified changes and confirmed IP addresses of hosts are entered correctly, click OK, OK, and Commit this change to Firewall. From now on, traffic to hosts behind IP address(es) added to the list of Exempt IP addresses will not trigger this vulnerability in this security rule. Traffic to all other IP addresses, or traffic hitting different security rule, will still trigger vulnerability action as defined in that security policy.
Comments

Thanks for writing this up.  Definitely saves me a bit of time with tuning.

Step 3 to the 2nd part of above: Change the "default" Action under the exempted threat ID, the default is typically overridden by the "Action" specified in the "Rules" tab. But to actually "ignore/not log/allow" based on the exempted IP list, the "Action" in the Exempt list should be changed to "allow".

Following are the CLI command to exempt an IP address from a threat :


In this example I am exempting IP addresses 1.1.1.1 and 2.2.2.2 for a spyware ID 4095560 for Anti-Spyware profile "strict-1":

admin@Dheeraj> configure

admin@Dheeraj# set profiles spyware strict-1 threat-exception 4095560 exempt-ip 1.1.1.1

admin@Dheeraj# set profiles spyware strict-1 threat-exception 4095560 exempt-ip 2.2.2.2

admin@Dheeraj# commit

- To View the added IP exceptions:


admin@Dheeraj# show profiles spyware strict-1 threat-exception

threat-exception {

  4095560 {

    exempt-ip {

      1.1.1.1;

      2.2.2.2;

    }

  }

}

- To delete the added IP exceptions:

admin@Dheeraj# delete profiles spyware strict-1 threat-exception 4095560 exempt-ip 1.1.1.1

admin@Dheeraj# delete profiles spyware strict-1 threat-exception 4095560 exempt-ip 2.2.2.2

admin@Dheeraj# commit

Is there is any wildcard threat id  which can be used to  exempt ip across all defined threats.  This way, one can use single command to bypass ip across all threats.  I need to exempt bunch of scan servers (40)  from triggering any threats

skansara - to completely exempt a group of servers you simple solution is to write a rule above the scan rule that has not threat profile at all and only targets the affected server ip addresses.

Steven,

Thx for prompt response.  This was already suggested to client however client has concerns that adding security rule may give additional access to scan servers

Thanks Nato.  Very useful post.

You mention "The IP address can be the Victim or Attacker".  Does that mean that if we had an exemption, any traffic that matches this IP as either source or destination will not be compared with this signature ?

Thanks.

This is an older post, however, its been a little time and the 'title' has specific bearing on my question.  Based on the title "How to Add Exempt IP Addresses from the Threat Monitor Logs", the described solution achieves this with an individual exception per threat rule which prevents protection to achieve a "How to Exempt IP from the Threat Monitor Logs".

 

My question is in regards to pen testing our enclave.  I have a pen-testing entity that routinely scans our enclave for thousands of vulnerabilities per IP.   Even if a wildcard existed or was possible to be used, it changes the scan results.   So, I do not want to exempt a dest IP from protection by using an exception or changing the Action on the Vuln Protection Profile.  I just want to provide the same protection without the bloat in my threat-log from all the scanning.  Is there a way to exempt an IP/subnet to prevent a threat-log entry from being written to the threat-log without exempting the target from protection?   

To @tgarsiot 

Sorry for the late reply.

The Excempt IP address will be excluded from that single signature. All other signatures will be in use.

 

To @Lee_H,

Please allow me to restate your question:

You want to allow all protection on a specific IP address, but you would like to supress all of the logging for that one IP? 
This is not an option at this point. You might want to talk with your local SE and talk with him about putting in a Feature Request for this option.

To Lee_H,

Please allow me to restate your question:

You want to allow all protection on a specific IP address, but you would like to supress all of the logging for that one IP? 
This is not an option at this point. You might want to talk with your local SE and talk with him about putting in a Feature Request for this option.

 

@jdelio

I really don't see a reason why this isn't already a feature, really seems simple enough and like a bare necessity...nearly every organization has vulnerability scanners etc. that need to be excluded from vulnerability protection.  Security teams have enough noise to deal with...we don't want the extra noise/logs when we scan for vulns. on a monthly basis etc.  Adding an exclusion for each vulnerability scanner for every single explicit threat ID is not even an option, that would be an insane amount of time to configure and impossible to maintain... Could someone maybe check to see if there is already a feature request that's been submitted for this?  You can add at least two customers to it if there is, or maybe create the feature request for us?  

 

Thank you,

 

-Drew

To @jdelio

 

No, please don't restate that way.   I want to suppress all threat logging generated by a specific source IP, not the destination IP.

 

Thanks,

 

Lee

@Lee_H That's exactly what I want.  Maybe the way @jdelio restated it was incorrect and I missed that, if so, my mistake- but I also want to suppress all threat logging generated by specific source IP's, particularly Vulnerability Protection logging hits/logs that are being logged unnecessarily when our monthly vulnerability scanner runs.

@DrewDixon,

I wish that I had the ability to view or add to the Feature Request list, but I do not.  And I also want to echo what you said, that this is a feature that has value, but your Sales Engineer would be the one that can check and or create this feature request for you as they talk directly with the Program Managers and present to them what the customers are asking for.

 

If there is anything else I can help with, I want to, so please let me know.

I tried several times to add one IP to the "IP Address Exemption" for some reasons is not saving the exclusions, everytime I commit changes to the firewall I double check and the exclusion value is blank 

hi @oscaringosv

 

did you make sure to check the box next to the profile, add the IP address and click OK ?

If you followed this procedure  and you are still not seeing the config change, you may want to try a different browser or open a case with support

Hi @reaper

 

Thanks a lot, checking the box works.