How, Why & When you would use a pass rule in a Cisco Firepower Intrusion policy (IPS)
This TidBit of the day will provide cool features of Cisco Firepower/FTD in just a couple minutes!
So I received this questions from a reader:
What is the best easy way to exempt a host or network from a specific snort signature/rule? I want to prevent traffic from being dropped if the source IP is 10.1.1.10 even if it matches the Rule SID 38678 signature. All else still inspect and drop if the signature matched.
This is a great question, and one I receive a lot. I find that admins, in order to meet this business requirement, use the Suppression filter in the IPS policy, however, that just stops you from getting an alert and still drops all the traffic! You just would never know….This accomplishes nothing! You’d be better off disabling the rule.
Suppressing a rule is just this:
So let’s take a look at the How, Why & When you would use a pass rule in an Cisco Firepower Intrusion policy (IPS)
Caution: When an original rule that the pass rule is based on receives a revision, the pass rule is not automatically updated. Therefore, pass rules might be difficult to maintain.
You should monitor the new events for some time in order to make sure no events are generated for this specific rule for the defined source or destination IP address.