Disabling/bypassing particular signature for a particular traffic in IDPS

Alex 355 Reputation points
2024-01-16T15:53:19.8433333+00:00

Hello,

There is a false positive alert in the IDPS logs and I am looking to bypass that particular signature ID for that particular traffic (source, destination and port), but it seems like there is not a way to do this in IDPS currently.

I noticed there are two options now,

  1. Bypass list - which filters all IDPS signatures for that traffic OR
  2. Disabling that signature ID - which disables it for the entire firewall.

Both seems to be less secure.

Kindly suggest how to proceed on this.

Thanks in advance.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex 355 Reputation points
    2024-01-17T09:19:35.56+00:00

    Fellow Azure Buddies, As discussed with @KapilAnanth-MSFT in the comments, currently it is not possible to make an exception/filter in IDPS with both signature ID + traffic. If you stumble across this question, kindly provide your support by upvoting below feedbacks/threads for this feature to be implemented, thank you in advance. https://feedback.azure.com/d365community/idea/8f823272-04b5-ee11-92bc-0022484c4141 https://techcommunity.microsoft.com/t5/azure-network-security/granular-filtering-in-azure-idps/m-p/4031469#M158

    1 person found this answer helpful.
    0 comments
  2. KapilAnanth-MSFT 45,111 Reputation points Microsoft Employee
    2024-01-17T09:32:28.5166667+00:00

    @Alex

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    I understand that you would like to look at the options for fine tuning IDPS Rules in Azure Firewall.

    Currently, the only methods available are the ones you had specified. Creating Exceptions with the tuple - source, destination and port is not available.

    I see you have created a feedback item for this,

    Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

    Thanks, Kapil

    Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.