cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Highlighted
Getting noticed

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

We have an MX 100 on the front, tagged a WAN IP with 1:1 NAT to a MX64 (for a second business in same network) and the second business has some remote desktop servers.

 

On January 30th 2019 in the morning, SNORT released the following rule:

- OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt

- Rule ID 1-49040

 

What I just learned from Meraki support, even though the client was white-listed, they are telling me white listing only affects outbound traffic initiated from that device. White listing has nothing to do with external traffic hitting an internal device. I guess not many people are doing what we are doing, and we will be using a layer 3 switch in front moving forward to prevent the 1:1NAT rule.

 

It did peak my curiosity, can anyone confirm this. It seems that white listing doesn't disable AMP or IDS. Secondly, if you create a custom group policy, it is possible to disable AMP, but you can't disable IDS for a specific device.

 

In any event, the fix was to white-list the new rule the SNORT released, and everything is working again.

3 REPLIES 3
Building a reputation

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Thanks for all the heavy lifting on this solution, this may come is handy
Kind of a big deal

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

I'm all for options and this sound like a valid feature request! Thanks for posting the workaround.

 

Edit: Would it be related to the problem @jdsilva experienced. Basically for him the rule is triggered if you use a non-standard port for the RDP session. So another solution would be to keep the port internally and externally the same:

https://community.meraki.com/t5/Security-SD-WAN/IDS-AMP-still-scanning-client-even-if-white-listed-b...

 

 

Kind of a big deal

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Ignore me. I'm confusing things and quoting the wrong rule. Our problem is the same as the rule quoted in this thread.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.