- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- r81.20 How to create an IPS exception using the 'p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
r81.20 How to create an IPS exception using the 'proxied source ip' field?
We have a WAF (Web Application Firewall) acting as external protection for our internally hosted web servers.
We also have a vulnerability scanner external to our network probing for issues which are generating a large number of IPS alerts.
When I look at the logs, the source IP field is the WAF internal address, and the 'Proxied Source IP' field contains the source IP of the external scanner.
I need to be able to create an exception for these IPS alerts, but there doesn't seem to be a way to specify the proxied source IP field in the exception, you can only seem to use the internal address of the WAF. I can't use this as it would blind us to probes from other external IP's that were getting through the WAF for some reason.
Is there a way to achieve the IPS exception for a specific proxied source IP?
Thx.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@G- that's not possible. There was a similar post IPS exception based on Proxied Source IP? - Check Point CheckMates
maybe @Timothy_Hall idea could work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@G- that's not possible. There was a similar post IPS exception based on Proxied Source IP? - Check Point CheckMates
maybe @Timothy_Hall idea could work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I tried searching but obviously missed that one. I'll have a look at the idea proposed. Cheers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You also might be able to create a custom Snort IPS rule matching the proxy HTTP header field, import it, then create an exception matching that custom Snort rule with an action of Inactive.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the additional idea Timothy. To be honest, I doubt I have enough time to learn how to do all that, I'm going to lean on the WAF supplier to create a unique SNAT for the external scanner and 'cheat' 🙂