Hi,
We are curently facing an issue in our environment that Symantec IPS is blocking the Load balancer IP during the External VA scan which results in an outage of our webserver for the mentioned time frame . In our case we have set to 120 seconds.
I have read few forums regarding the same issue but here its some thing different in my case.
Our setup is Request will hit the Firewall - NIPS - loadbalancer - Webserver .
We have scheduled external IP scan which will performed from an external IP range of Qualys Scanner. So what ever request is been received from an external IP to that webserver , It will see only the Load Balancers IP ad not the actual IP address that is accessing the resource from outside.
So this problem we fac is during the time we run scan and considering the remote IP as the load balancer IP and blocking the traffic for few minutes which results that no one from outside will be able to reach the server during this Active Response Engaged Time.
Limitations to Exclude:
I have seen option to Exclude hosts in Symantec IPS. But here we cannot exclude the Load balancer IP (Remote IP) as all the requests are handled through the single IP and which may actually compromised with some other attacker being Unknown.
Test Plan:
Can we create one firewall rule in symantec to allow the load balancer IP to allow traffic during that particular scan running time?
Or its independent from IPS and Firewall in symantec?
And also then later will firewall rule block that load balancer IP other than the time frame mentioned in that rule.
Need some solution for this fix with the protection to be enabled in the end point level.
Regards,
vijayraja