Snort IPS/IDS exception

RobG
Conversationalist

Snort IPS/IDS exception

As far as I can tell there isn't a way to whitelist an IP in the Threat Protection (Snort IPS/IDS).  What are you doing when it comes to performing vulnerability scans on your network because of this limitation?  Do you have a workaround?  I'm only using the MX line of Meraki products.

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

 I think you can exclude the address/range here? "security appliance > Threath protection > Protected networks"

WadeAlsup
A model citizen

I don't see the option for "Protected Networks" there under security appliance > Threat protection.


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
ww
Kind of a big deal
Kind of a big deal

This "Protected networks" field seems to be only available when in "Passthrough or VPN concentrator" mode.

PhilipDAth
Kind of a big deal
Kind of a big deal

The only option I can think of is to change the mode from "Prevention" to "Detection" for the duration of the scan.  Then at least it wont attempt to stop it - only log it.

ARiK_LeV
Conversationalist

Create a group policy and apply it to the clients that will be in the test, schedule it for the days and times for the test as well and disable AMP.   I suspect  IDS/IPS  is disabled when AMP is inactive.   Not sure but give this a test.  Make a wish to include IPS/IDS  controls in the  Group Policy options.

jbhehoman
Here to help

I've filled out the 'Make A Wish' for this same reason. I like the idea someone mentioned about using detect instead of prevent, but we have too many networks to do this manually each time. 

Get notified when there are additional replies to this discussion.