cancel
Showing results for 
Search instead for 
Did you mean: 

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Getting noticed

IDS/AMP still scanning client even if white-listed - broke remote desktop connection

We have an MX 100 on the front, tagged a WAN IP with 1:1 NAT to a MX64 (for a second business in same network) and the second business has some remote desktop servers.

 

On January 30th 2019 in the morning, SNORT released the following rule:

- OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt

- Rule ID 1-49040

 

What I just learned from Meraki support, even though the client was white-listed, they are telling me white listing only affects outbound traffic initiated from that device. White listing has nothing to do with external traffic hitting an internal device. I guess not many people are doing what we are doing, and we will be using a layer 3 switch in front moving forward to prevent the 1:1NAT rule.

 

It did peak my curiosity, can anyone confirm this. It seems that white listing doesn't disable AMP or IDS. Secondly, if you create a custom group policy, it is possible to disable AMP, but you can't disable IDS for a specific device.

 

In any event, the fix was to white-list the new rule the SNORT released, and everything is working again.

3 REPLIES
Getting noticed

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Thanks for all the heavy lifting on this solution, this may come is handy
Head in the Cloud

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

I'm all for options and this sound like a valid feature request! Thanks for posting the workaround.

 

Edit: Would it be related to the problem @jdsilva experienced. Basically for him the rule is triggered if you use a non-standard port for the RDP session. So another solution would be to keep the port internally and externally the same:

https://community.meraki.com/t5/Security-SD-WAN/IDS-AMP-still-scanning-client-even-if-white-listed-b...

 

 

Highlighted
Kind of a big deal

Re: IDS/AMP still scanning client even if white-listed - broke remote desktop connection

Ignore me. I'm confusing things and quoting the wrong rule. Our problem is the same as the rule quoted in this thread.