Vulnerability protection ip exception

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Vulnerability protection ip exception

We have our regular penetration tests coming up and we need to allow the IP addresses that are doing the testing to scan our network. Is there a way to create an IP based vulnerability protection exception? I know how to create an exception for a specific threat, but is there a way to allow a specific IP or set of IPs through the vulnerability protection without allowing everyone through?


Accepted Solutions
Highlighted
Cyber Elite

@lee.curtis 

 

We do this regularly in our network where External Vendors do Pen test against our public facing applications.

You will need security rule with source as Vendor Public IP and destination will be your External Interface public IP.

For this security normally we do all security profiles as none and once Pen Testing is done then rule can be removed.

 

Regards

 

MP

View solution in original post


All Replies
Highlighted
L3 Networker

Is there a reason why u do not want to use separate security Policy to allow what you want, for these IPs !?

Highlighted
Cyber Elite

@lee.curtis,

As @Abdul-Fattah  alluded to, you're going to want to build a separate security rulebase entry to allow the traffic. You can programmatically add an exception relatively easy, but it is simply just building an IP address exception for each signature. Just build out a new security rulebase entry and remove it when the penetration test is done. 

Highlighted
Cyber Elite

@lee.curtis 

 

We do this regularly in our network where External Vendors do Pen test against our public facing applications.

You will need security rule with source as Vendor Public IP and destination will be your External Interface public IP.

For this security normally we do all security profiles as none and once Pen Testing is done then rule can be removed.

 

Regards

 

MP

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!