Internal IPs exclusion for HTTP protocol
Updated: 14 Jan 2012 | 11 comments
This issue has been solved. See solution.
Hi,
Can any one help me to exclude internal IPS (Destination internal IPS) for http protocol,because it genarate false positive incidents.
DLP version : 11.1.1000.10054
Because internal http have ip rang of 10, thats why i write -,10.0.0.0/8,10.0.0.0/8;+,*,* is it write? ya any else?
Pravin Loks
Discussion Filed Under:
Group Ownership:
Comments
Hello, Please see this thread
Hello, Please see this thread for a possible solution - https://www-secure.symantec.com/connect/forums/nee...
I hope this is helpful.
Best,
Thomas
Internal IPs exclusion for HTTP protocol.
Hi Thomas,
Thanks for your reply, but still we are facing the same problem i.e getting the incident generated.
Please guide me on the same for FTP,HTTP to exclude the all 10 series IP network as a destination IP and source is any.
We have already written in System-->Protocol tab ( -,10.0.0.0/8,*;+,*,* ) for exclusion with defined FTP port as 21 and port 80 for HTTP we are still getting the incident generated with same port.
NOTE: I am using endpoint for FTP and HTTP traffic.
Thanks & regards
Pravin
Albert L
Well, if you're using
Well, if you're using Endpoint for those, then modifying the Protocols in the System-->Protocol page won't affect that at all. These protocol definitions are specific to Network Montior. You would need to add IP filters to the Agent Configuration instead.
~Keith
As you are using endpoint for
As you are using endpoint for FTP and HTTP traffic, you need to change the Agent Configuration.
Log into Enforce Console, choose 'System' --> 'Agents' --> 'Agent Configuration', in the list, choose the configuration used by your endpoint. On the 'Filter by Network Properties' section, fill the IP filter:
Exclusion is work fine for HTTP and for FTP
Hi,
Thanks kreynolds and yang_zhang,
I apply solution given by you, it work fine for HTTP and FTP but still incidents are generated for HTTPS protocol in 10 series IP range even if I check mark HTTPS protocol for IE and Firefox in agent monitoring.
Please advise me.
Thanks
Pravin
Albert L
You may use L7 layer filter,
You may use L7 layer filter, and exlude from here some external IPs.
e.g. -84.52.94.43;-94.42.23.4;
Exclusion is work fine for HTTP and for FTP
Hi,
Thanks kreynolds and yang_zhang,
I apply solution given by you, it work fine for HTTP and FTP but still incidents are generated for HTTPS protocol in 10 series IP range even if I check mark HTTPS protocol for IE and Firefox in agent monitoring.
Please advise me.
Thanks
Pravin
Albert L
That's odd...could be a bug
That's odd...could be a bug in there considering it's working for the other protocols. I'm not aware of anything specific to HTTPS on the Endpoint IP filters that would require configuration somewhere else.
You could try putting the IP into an exclusion on the policies and see if that works (might be an immediate workaround if it is a bug). It will be a little more to manage from a policy administration standpoint, but should work.
Apart from that, I'd consider opening a case with Support and see what they say about it. If I get a chance, I'll see if I can reproduce the same on a test system. What version of DLP are you running (server version and agent version)?
~Keith
Hi, server
Hi,
server version:11.1.1000.10054
agent version:11.1.1000.10054
Albert L
Hi Keith/All, I observed
Hi Keith/All,
I observed the incidents for both protocols (HTTP and HTTPS) on endpoint and found that Destination IP field for HTTPS is not present in Incident Details page and present for HTTP and FTP also.
If logic is design in such a way that it should take a decision on Destination IP field.
Please help me for resolve this issue.
Loks
Albert L
you can use filtering of any
you can use filtering of any kind like filtering domain, email address or IP address, recipient address, sender address
Location where :- Edit Policy > here inside the policy you will find three tabs
Detection,Group, Response
you can go to Group tab and can filter anything which i have mentioned above.
Would you like to reply?
Login or Register to post your comment.