Bypass Intrusion Detection/Prevention

franco2444
Here to help

Bypass Intrusion Detection/Prevention

I was curious if there is any means of bypassing intrusion detection/prevention via Group Policies. I'm going to assume no, as it defeats the whole purpose of said feature, but possible I overlooked something.

 

Scenario: Datto Appliance is not successfully backing up offsite, and Datto insists it's due to Intrusion Detection/Prevention. Rather then disabling it on the entire MX, i'm hoping to narrow it down to just the Datto appliance. 

 

Thanks!

4 REPLIES 4
Seshu
Meraki Employee

Hello @franco2444 

 

IPS/IDS cannot be bypassed even by whitelisting the clients. It is either enabled or disabled on the firewall. 

 

For your case to test connectivity to an application, try connecting the test computer directly to the ISP modem and see if it is still having the same issues. If you are on wireless, test it on wired. There are ways to send traffic on the same network bypassing the firewall completely for that client. 

 

Please let me know if you have any further questions.

 

Regards,

Meraki Team

 

Hey @Seshu, thanks for the response! That's what I suspected, but the clarity definitely helps.

 

Fortunately it looks like it was getting blocked by IPS/IDS and was overlooked in Security Center. Shows that the Datto Appliance is being treated as an SSH_EVENT_RESPOVERFLOW threat, and looks like there are others with MX appliances that are facing the same issue. Whitelisting allowed the appliance to successfully offsite.

 

I'm assuming there is also no way for you to whitelist a Rule ID to a certain scope devices?

 

Not sure if it's a bug with the MX firmware, or if a specific version of SSH/SFTP software on the appliance is causing the MX falsely claim it as a threat.

15.33 resolves some issues with IPS and AMP (specifically with it crashing on downloads, logging nothing, but breaking the download).

Good to know. Thanks for the Info @PhilipDAth 

 

I'll keep it whitelisted for the time being as I want to refrain from using beta firmware at this location for the time being.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels