CRL-00003 and Exceptions
Has anyone modified CRL-00003 (Port Scan Detected) to add an Exceptions list?
We have a reverse proxy web server that gets flagged constantly by this rule, indicating a port scan between it and the firewall. We'd like to tell the rule to ignore that source/destination pair
Would adding a Filter to each statement on the first Circuit be a good approach, using Watchlists like "Allowed Scan Source" and "Allowed Scan Destination"?
Just make sure you define the exception filters on each statement on the first circuit (as you said).
You can either use watchlists or just add the source/destination ip addresses individually.