Bypass Intrusion Detection/Prevention

franco2444
Here to help

Bypass Intrusion Detection/Prevention

I was curious if there is any means of bypassing intrusion detection/prevention via Group Policies. I'm going to assume no, as it defeats the whole purpose of said feature, but possible I overlooked something.

 

Scenario: Datto Appliance is not successfully backing up offsite, and Datto insists it's due to Intrusion Detection/Prevention. Rather then disabling it on the entire MX, i'm hoping to narrow it down to just the Datto appliance. 

 

Thanks!

7 REPLIES 7
Seshu
Meraki Employee
Meraki Employee

Hello @franco2444 

 

IPS/IDS cannot be bypassed even by whitelisting the clients. It is either enabled or disabled on the firewall. 

 

For your case to test connectivity to an application, try connecting the test computer directly to the ISP modem and see if it is still having the same issues. If you are on wireless, test it on wired. There are ways to send traffic on the same network bypassing the firewall completely for that client. 

 

Please let me know if you have any further questions.

 

Regards,

Meraki Team

 

Hey @Seshu, thanks for the response! That's what I suspected, but the clarity definitely helps.

 

Fortunately it looks like it was getting blocked by IPS/IDS and was overlooked in Security Center. Shows that the Datto Appliance is being treated as an SSH_EVENT_RESPOVERFLOW threat, and looks like there are others with MX appliances that are facing the same issue. Whitelisting allowed the appliance to successfully offsite.

 

I'm assuming there is also no way for you to whitelist a Rule ID to a certain scope devices?

 

Not sure if it's a bug with the MX firmware, or if a specific version of SSH/SFTP software on the appliance is causing the MX falsely claim it as a threat.

15.33 resolves some issues with IPS and AMP (specifically with it crashing on downloads, logging nothing, but breaking the download).

Good to know. Thanks for the Info @PhilipDAth 

 

I'll keep it whitelisted for the time being as I want to refrain from using beta firmware at this location for the time being.

Dudleydogg
A model citizen

When I enable Intrusion detection and prevention, My MX goes to 1/3 speed instead of 900MB  we get maybe 250MB bandwidth speeds. Has anyone else experienced this type of slowdown with Intrusion detection and prevention

yes, MX67. IPS on - 450Mbps, IPS off - 800Mbps. They had to slow it down in a software because like 2months ago, the speed with IPS on was 660Mbps.

Dudleydogg
A model citizen

I changed nothing and speeds were so bad I complained to ISP, they came to the house put on equipment and confirmed there were no issues with Light. I put the 2nd router on the same ONT (Frontier allows 2 IPs) the one would get 1000mbs downloads, and on the MX I get 300MB on a good day. White papers state I should get 650ish so I complained. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels