IPS use Match Object to exclude Detection
ArminF
Newbie ✭
Hello.. me again i know... :)
ok, i get two ICMP IPS detection which i wanted to exclude for a server.
So i created a Match Object. But i cannot find a place to put this into a policy to exclude it for one server.
I could exclude detection on IPS signature based level but just wanted to exclude it for one server.
Can you help me with that?
thank you!
armin
Category: Entry Level Firewalls
0
Best Answer
-
CORRECT ANSWERArminF
Newbie ✭
OK, Exclude Range can also be a Single IP.....
But what for the Match Object then?
0
Answers
@ArminF Match Objects are used for App Rules, there is a Policy Type of "IPS Content" where your Match Object would be selectable.
--Michael@BWC
Thanks Michael
Ok, i reverted the change on the signatures directly to exclude the server.
Created a Match Object IPS added the two option i do not want to be logged.
Added a App Policy IPS rule and used the match object to exclude it from being logged.
lets keep fingers crossed :)
Well, this is strange....
Even when i set the App IPS Policy Rule with its Adress Source (my server) it does not save it.
So it would i assume exclude this for all ips on the network.
Anything i miss here?
In this case i would might be the better way to exclude it on the IPS signatures instead of using a exclusion policy.
thanks!
@ArminF I would definitly go for excluding the IPS Signature instead of using an AppRule, because the amount of AppRules you can configure is limited, and maybe more performance hungry.
Even Bypassing IPS in an AppRule does not hinder the IPS to log, I checked a couple ways on a Gen6 Appliance and it always got logged. Cannot say for sure if it really gets bypassed, because usually I do this on IPS itself, which works fine.
--Michael@BWC
Michael you really rock!
Understood Sir! 😀
Ok, will change and use exclusion on the IPS signature tab.
Maybe create a group instead of using single entries.
" a group for every user" i leaned once ...