Endpoint Protection

 View Only

  • 1.  How to whitelist an IP

    Posted Mar 21, 2017 08:30 AM

    Hello,

     

    We are using Symantec Endpoint Protection 12.1.6 on a Windows Server 2008 R2. This is an outward facing web server that runs our Ecomm websites. We use Cloudflare as a CDN which has an acceleration service named Railgun. The Railgun server resides on our network, not Cloudflare.

     

    The way it works is the http request for our websites first go to Cloudflare, their edge servers forward the request to our Railgun server which is hosted on our network. The Railgun server forwards the request to our origin web server, described above. A hacker sends a request to one of our websites which goes to the Railgun server which then goes to the web server. Symantec blocks that request because it sees it as a hack attempt, this is good. Symantec then proceeds to block, for 10 minutes, any further requests that come from our Railgun server whether they are hack requests or legitimate requests. This blocks all traffic for any of our websites for 10 minutes, this is bad.

     

    Is there a way to tell Symantec Endpoint Protection to continue to block those bad requests, from the Railgun server, but also not block the good/legit requests from the Railgun server for 10 minutes? 

     

    Any ideas are greatly appreciated.

     

    Joe

     



  • 2.  RE: How to whitelist an IP
    Best Answer

    Posted Mar 21, 2017 08:35 AM

    It's all or nothing. The SEP IPS is doing its job by identifying good/bad requests and taking the necessary action.

    If you don't want access blocked for 10 minutes, you could disable 'Automatically block an attacker's IP address' from the firewall policy under Stealth and Protection:

    Capture_176.JPG



  • 3.  RE: How to whitelist an IP

    Posted Mar 21, 2017 09:00 AM

    Hi Brian,

    Thanks for the quick response. Do you know if I uncheck that option, will it continue to block those bad requests?

    Joe



  • 4.  RE: How to whitelist an IP
    Best Answer

    Posted Mar 21, 2017 09:01 AM

    The IPS will continue to block them if they're deemed malicious. However, the ten minute block will not be enforced.



  • 5.  RE: How to whitelist an IP

    Posted Mar 21, 2017 09:07 AM

    It sounds like that is what I am looking for - block malicious requests but do not impose the 10 minute restriction.

    Thanks Brian!

    Regards,

    Joe



  • 6.  RE: How to whitelist an IP

    Posted Mar 21, 2017 09:13 AM

    You're welcome.



  • 7.  RE: How to whitelist an IP

    Posted Mar 21, 2017 10:48 AM

    Hi,

     

    You can still use that feature keeping it enabled and add the corresponding IP in IPS excluded host, this way you can prevent that IP from scanning in and out.

     

    go to 

    IPS policy - settings - Excluded hosts

     

    IPS will not scan it and out traffic from that perticular IP