4 Replies Latest reply on Jan 28, 2011 11:47 AM by sliedl

    Rule help

    kvt

      Here is my problem,   I have a firewall set up in a lab environment, and know that certain pieces of hardware and software are going to try and go out to specific sites (known ports and known ip addresses), but I am not allowed to have them go out to those sites while testing.  However, I do need to have alerts and see when they try to go out to other sites that we do not know about.

       

      Problem is how do I set up a rule that will prevent anything internal from going to those known sites, but not cause an alert etc to be generated, but still be able to see an alert if some other site is gone to meeting the low alert threshold for ACL deny.

       

      On some older Firewalls that I have worked with, I could specify that any traffice on a port going to a specific destination would be droped, for sent to a null device. and would not cause an alert as a denyed connection.

      Does anyone know how to do that in version 7 of the firewall enterprise.

        • 1. Re: Rule help
          oreeh

          To disable alerts you can (temporarily) disable them under "IPS Attack Responses" and "System Responses".

           

          To get an overview of the allowed and denied traffic log in to the console and, after increasing the ACL loglevel (cf acl set loglevel=4), an "acat -ayz" will show you a list of all allowed and denied events.

          If you use "acat -akyz" instead you'll get a real time output.

          For further options have a look at the acat and sacap_filter manpages.

           

          Edited to add:

          You can configure any rule to drop the packets by selecting the "drop" action instead of allow/deny.

          You can also disable auditing but that would render the above acat useless. No auditing - no reporting.

           

           

          on 1/28/11 3:28:45 PM CET
          • 2. Re: Rule help
            kvt

            Yes I could do a temporary disable it under the IPS Attack repsonse,  but I was looking for a more perm solution where I put it in as a rule that would not trigger a attack response if it is met.

            As the lab is in use all the time, this makes it hard to do that. 

             

            I tried putting in a  as a drop rule, but,  even a drop rule shows up under the attack response for IPS   ACL Deny,

            I'm looking for a way that I can block these, without causing a reponse to the ACL deny,  That way if something else trigers it, it will alert me.

            This will save me having to comb through all the stuff, looking for the ocasional ACL deny that is not one of the ones we know about.

            • 3. Re: Rule help
              oreeh

              Disable auditing in the rule.

              • 4. Re: Rule help
                sliedl

                I wrote a little bit about IPS Attack Responses in this Community post.

                At the end of the post I explained how you can make your own filter that works only when a certain rule is .  You can use that syntax to make your own filter to that works all the time EXCEPT when a certain rule is hit.

                 

                Here are the default 'ACL Deny' audit filter and auditbot (the bot that watches for the filter to be hit):

                 

                audit add filter name='ACL Deny' \
                    comments='Detects when a connection is denied by a rule in the active policy.' \
                    filter_type=attack number=4 sacap_filter='event AUDIT_R_ACLDENY'

                 

                 

                audit add auditbot name='ACL Deny' filter='ACL Deny' enabled=off blackhole=0 \
                    email=Attack_Default interval=300 period=30 reset=yes sb_percentage=0 \
                    secure_alert=yes snmp_trap=no threshold=5

                 

                The 'ACL Deny' filter will pick up ALL denied ACL events (event AUDIT_R_ACLDENY).  If you want to NOT alert on a specific rule you can build your own filter and auditbot (I don't think you can edit the built-in ones is the thing).

                 

                To keep it short, you'd run:

                 

                $> cf audit add filter name='ACL Deny not Rule 1' filter_type=attack number=0 sacap_filter="event AUDIT_R_ACLDENY and not rule_name 'Rule 1'"

                (double-quotes around the sacap_filter and single-quotes around the rule name in the filter)

                 

                $> cf audit add auditbot name='ACL Deny NR1' filter='ACL Deny not Rule 1' enabled=on blackhole=0 email=Attack_Default interval=300 period=30 reset=yes sb_percentage=0 secure_alert=yes snmp_trap=no threshold=5

                 

                Now you disable the built int 'ACL Deny' IPS Attack Response and enable this new one.  The exact same functionality is there, except you won't alert on ACL Deny events on your one specific rule (but you'll still audit them).  Now that you've added this filter and auditbot they will appear in the GUI and you can edit the responses from there.

                 

                Is that what you're looking for?

                 

                 

                Message was edited by: sliedl on 1/28/11 11:47:28 AM CST