Whitelist IP from IPS/IDS

Zimble
Comes here often

Whitelist IP from IPS/IDS

I'm running an internal vulnerability scanner in a network behind an MX appliance.  We just turned on IPS/IDS and it's blocking all of the simulated traffic from the vuln scanner, which is great and what it should do, but my only way to permit this traffic is to either change the mode to detect only or exempt every single attack type the vuln scanner simulates, which would obviously not be a good route to go as it is not only time consuming but then leaves the IPS in a state where it is overly permissive.

 

I contacted support and they confirmed there is no way to allow list a point of origin past the IPS/IDS.  I simply can't wrap my head around that being a true statement.  I can't be the only org with MX firewalls and a vulnerability scanner right?  Also, if you have an organizational need to whitelist a detected event, your only option is to whitelist it regardless of source.

 

Is Meraki IPS/IDS seriously this undeveloped?  This is a very basic control in my opinion, how could this still be missing after all of these years?

 

Here's a Reddit post from 5 years ago complaining about the same thing so I guess this is never going to be fixed huh?

(1) MX64 - Allowing threat scanning : meraki (reddit.com)

5 REPLIES 5
ww
Kind of a big deal
Kind of a big deal

Yes most meraki settings are very basic.

Cant you run a scan from a switch in the same vlan  where the clients are that you like to scan.

Zimble
Comes here often

Most vulnerability scanners are checking on multiple types of assets, servers, endpoints, voip devices, printers...those are definitely not all going to be on the same vlan in a well designed org.

PhilipDAth
Kind of a big deal
Kind of a big deal

You'll need to turn IPS off for the duration of the scan.

Obviously that's the best solution available, but it's a very crummy one.  I can't be the only person annoyed at this very basic feature being missing.  Adding an exception in Firepower/Fortigate/Sonicwall or anyone else takes about 30 seconds.  This is a pretty frustrating shortcoming in the Meraki interface.

Dunky
A model citizen

"Also, if you have an organizational need to whitelist a detected event, your only option is to whitelist it regardless of source."

Yup, I've had to add an exempt rule and although its only from one IP address the MX does not allow you to specify a src IP/subnet. Very basic and sort of defeats the object of a firewall.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels