Topic
  • No replies
Tim_R
Tim_R
2 Posts

Pinned topic Turning Firewall Out of Rules

‏2016-06-20T20:28:51Z | firewall offenses tuning

I am working on tuning my QRadar Offenses and am getting numerous Offenses where one of my main firewalls is the source:

Excessive Firewall Denies Between Hosts containing Firewall Deny

I looked at the Offenses for Excessive Firewall Denies and I see it is excluding the BB:HostDefinition: Servers.  The problem is that there is no building block for firewalls.

I know I could just use the False Positive for this Offense and enter my firewall IP, but I was curious what others have done for tuning activity from their firewall out of rules.  Do you create a building block for firewall servers and put that in the BB:HostDefinition: Servers?  Or something else that has worked?

 

Thanks for your help,
Tim