Reclassify threats detected that are legitimate traffic

Hi there!

We have recently installed a HA pair of XG430s and are slowly turning features on with them and getting to know them.

 

Overall we like them and like what they can do but I have one area of concern I can't seem to find an obvious answer to (which could well be me!).

 

In the threat management reports, is it possible to reclassify an identified threat if you know it is something legitimate?

For instance I have two top level threats, first is the machine identifies a torrents client p2p at level 5. But this is actually a netflow operation between a Cisco router and PRTG.

Second we have Meraki Waps and they talk to each other on UDP port 9358 as pair of their Layer 3 ops and roaming etc.

 

I cannot find anywhere that I can anywhere in any of the firewall's settings that I can reclassify these things or tell it not to report on these specific cases.

 

Anybody got any experience of doing this?


Thanks

 

James

  • Hi James,

    I have not tried this, you could try in the IP -> DoS and Spoof Protection ->DoS Bypass rule to create exceptions for your specific devices.

    Ian

  • In reply to rfcat_vk:

    Hi Ian,

     

    Thanks, good idea but alas not. You have to specify a source port too and restarting the netflow service on my router changed the source port.


    Also the waps have different source ports to ( can be seen in my screen grab above).

     

    Cheers

     

    James

  • In reply to IT Support67:

    Hi James,

    there is an easy fix to that, use * (wildcard) in source and destination ports.

    Ian

  • In reply to rfcat_vk:

    Hi Ian!

     

    Thank you - yes a * worked fine. I was able to enter rules for my two knowned traffic sources.

     

    I think this has worked, the live report isn't showing any level 5 threats currently - those two are always there. So I'm just waiting for it to do some reports over the next hour or so but fingers crossed thats it.

     

    Will let you know.

     

    Thanks again.

     

    James

  • In reply to IT Support67:

    Many Thanks Ian!


    That appears to have done the trick. No more erroneous nasties showing up ont he daily report.

     

    Much obliged sir!

     

    James