Domain based IPS exception

Mikel_Aanstoot · ‎2019-10-18

Hello, could not find a solution for this. Some users need SSH access with a random port range to a domain based object. Reason is that domain can exist of 200+ IP addresses so domain object makes sense. From a firewall perspective this works fine. But IPS SSH over Non Standard Ports protection is blocking the connection as it should. However, when I want to make an exception it does not allow the domain object as Destination. Is this indeed a limitation ? That would not make my very happy. Or is there another solution where I don't have to make an exception for Internet or configure all 200 IP addresses (which can change on regular basis)

We are running R80.10 on gateways and R80.20 on Management server.

kind regards,

Mikel

G_W_Albrecht · ‎2019-10-18

Why not make the exception with source user group instead ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Mikel_Aanstoot · ‎2019-10-18

That would still mean that for this user group a total exception for this protection ? I prefer to narrow it down so they can ssh to this specific domain on higher ports but not to other environments. So preferably user group as source, domain as destination

Timothy_Hall · ‎2019-10-18

Domain objects can only be used in the Access Control policy layers. They cannot be used in Threat Prevention which includes exceptions. It is possible to force a domain object into a TP policy via the SmartConsole by creating a brand new one right in the cell of a TP rule/exception, but then this happens: sk122295: Threat Prevention blades cause problems when the domain object is defined

also

sk124852: Can Domain Objects be used in Geo Protection exceptions?

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Are you a member of CheckMates?

Domain based IPS exception