Configuring a Proventia GX appliance to ignore traffic or events from certain IP addresses

Technote (FAQ)


Question

How can you configure a Proventia GX appliance to ignore traffic from certain internal hosts without creating firewall rules?

Answer

To configure a Proventia GX appliance to ignore traffic (or events) from certain ip address(es), we have provided the pam.report.filter* advanced parameter. All traffic or event(s) with a source or destination of the defined ip address(es) will be ignored. Users can add this parameter to the Local Tuning Parameters policy in the following contexts:
To filter all events
Name: pam.report.filterall Value (string):

Examples:

1) To ignore all traffic from a single intruder or victim address (source or destination)

Name: pam.report.filterall value=ip addr 192.168.1.25

2) To ignore all traffic from an intruder address (source ip)

Name: pam.report.filterall value=ip intruder addr 192.168.1.22

3) To ignore all traffic from a victim address (destination ip)

Name: pam.report.filterall value=ip victim addr 192.168.1.14

4) To ignore all traffic from a subnet

Name: pam.report.filterall value=ip addr 192.168.1.0/24

5) To ignore all traffic from a range

Name: pam.report.filterall value=ip addr 192.168.1.10-192.168.1.50


Note: To add multiple entries, separate them using a comma (with no space)

Name: pam.report.filterall value=ip intruder addr 192.168.1.22,192.168.1.23

To filter a specific event
Name: pam.report.filter.<issueid> Value (string):

Examples:

1) To ignore event 3000002 traffic from a single intruder or victim address (source or destination)

Name: pam.report.filter.<3000002> value=ip addr 192.168.1.25

2) To ignore event 3000002 traffic from an intruder address (source ip)

Name: pam.report.filter.<3000002> value=ip intruder addr 192.168.1.22

3) To ignore all traffic from a victim address (destination ip)

Name: pam.report.filter.<3000002> value=ip victim addr 192.168.1.14

4) To ignore all traffic from a subnet

Name: pam.report.filter.<3000002> value=ip addr 192.168.1.0/24

5) To ignore all traffic from a range

Name: pam.report.filter.<3000002 > value=ip addr 192.168.1.10-192.168.1.50

Note: To add multiple entries, separate them using a comma (with no space)

Alternative configuration:

It is sometime necessary to add multiple instances of the parameters for administrative purposes:

For example you could create one parameter to filter event generated by a vulnerability scanner and another to ignore events for a particular host.

You can add multiple instances of the parameter to filter more than one address entry by modifying the parameter name.
You will need to add an index number to the end of the parameter separated by a period.
Example:

Name: pam.report.filterall.0 Value=ip addr 192.168.0.9
Name: pam.report.filterall.1 Value= ip addr 10.0.0.0/16

Name: pam.report.filter.3000004.0 Value= ip addr 192.168.9.0/24
Name: pam.report.filter.3000004.1 Value=ip addr 10.10.8.130


For more information on using advanced tuning parameters, please refer to the Policy Guide and the Advanced Tuning Parameters guides for your Operating System located at the link below.

IBM Security IPS Configuring advanced IPS options


If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.

Historical Number

4559

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

1.7, 1.8, 2.3, 2.4, 2.5, 3.1, 3.2, 3.3, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.1

Operating system(s):

Platform Independent

Software edition:

All Editions

Reference #:

1436125

Modified date:

2010-10-17

Translate my page

Machine Translation

Content navigation