We are using a PA-3020 and in a need to set up some additional custom rules which will ignore false positives coming from legit external scanner to our webservers. The web traffic is hitting the load balancer so all traffic is showing as sourced to the load balancer's IP. We were able to create the following custom rule.
We are seeing most of the events triggered by the scanner being caught by the custom rule. However, some of the events are still bypassing the rule and triggering lots of alerts. This is a sample of an event triggering the custom rule
and this is a sample of another event bypassing the rule
The X-Forwarded-For value is being correctly translated in both packets, so I am not sure if there is some limitations in the custom rule or I am just missing some other configurations. Any advice would be appreciated. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!