Hi Merakiers!
I need to apply whitelist rules in my IPS/IDS rules to specific IP, but I cannot have the option and I`m wondering if anyone knows how to do it, bc I`m just seeing the option to whitelist Rules and not IP wich I think that is very unsecure...
Solved! Go to solution.
Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.
On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.
Just believe what you‘re seeing: you‘re able to whitelist specific IPS rules, but not IP addresses.
On the other hand, it‘d be a real burden with „real“ Firepower or Snort alone.
I agree, whitelisting IPs would be very insecure.
I don't agree. Only being able to whitelist a Signature is like taking a sledghammer to crack a nut. We are seeing false positives caused by signatures, so being able to whitelist based on a source and destination ip adress would be a really good idea. At the moment I have 2 options. Don't whitlelist and keep seeing the same false positive being flagged in security events (which incidently means a ticket is raised every time) or whitelist the signature but then potentially miss a a true positive event (which really is not what I would do).
Same it's crazy, we have so many issues with this.
Checkpoint, juniper can all whitelist a IP so how come meraki cannot.
Sort it out
agreed with @trick227. We are having several SSH_EVENT_RESPONSEFLOW IDS Alert between two endpoints that communicate over the SDWAN. We need to whitelist the source/destination ip addresses and not the whole event.
Why do you think this is insecure ?
Whitelist a signature will let any host through, whitelistimg a IP to allow one trusted host through
Pen testers must love meraki
Its not the Pen Testers that hate it.. its the customers.. as we have to turn off a key security feature to let pen testers do their job...
We also have issues with 2 diffrent pairs of endpoints talking across SDWAN... i have MANY time woken up to our reporting system blaring alarms stating Replication of VM has failed... or that Emails are queued up because the mailbox server cannot talk to each other....
It has become a complete joke! literally any issue with have that is remotely related to 2 devices communicating that goes via an MX appliance you can place a pretty firm bet that its IDS and IPS messing stuff up again!
Also to top it off.. if you use MX250 and IDS IPS set to prevent... do NOT go anywhere near the 16.15 stable RC firmware... it no longer abides by the whitelist for snort rules... so everything gets blocked!! an with no way to unblock it...we experianced this on multiple MX250 recently when moving the Stable RC as advised by Meraki due to ANOTHER issue with their firmware on on the current stable fork... (memory overload causing MX to panic and reboot)
nightmare.
Late to this thread but searching around. I have a device with a false positive for snort signature and attempting to create an exception between the source/dest w/o creating a bypass for the signature for all. Is this not possible? The rule is SSH_EVENT_RESPOVERFLOW which is due to a backup.
That's not possible. Meraki allows you to bypass all or nothing. It would be a great feature but it is not supported by Meraki for now.