How to create Network IPS exceptions for Host Intrusion Prevention

When you create a Network IPS exception for Host IPS 8.0, use the parameter name Remote IP Address. This parameter name accepts either a single IP address or an IP address range.

NOTE: Wildcards and Classless Inter-Domain Routing (CIDR) notation values are not acceptable. An error is generated in the Firesvc.log file, similar to the following:

Valid value: 10.10.10.1
Valid value: 10.10.10.1-10.10.10.255
Invalid value: 10.10.10.0/8
Invalid value: 10.*.10.1

01/31/2013 11:49:40 NipsPolicy.cpp[596] VERBOSE  (2000) NipsExceptionsBuilder::Add() - nips exception sig[4] = 3700 for [10.10.10.1].
01/31/2013 11:49:40 NipsPolicy.cpp[596] VERBOSE  (2000) NipsExceptionsBuilder::Add() - nips exception sig[4] = 3700 for [10.10.10.1-10.10.10.255].
01/31/2013 11:49:40 NipsPolicy.cpp[588] WARNING  (2000) NipsExceptionsBuilder::Add() - nips exception Remote IP Address does not contain a valid IP Address or range [10.10.10.0/8].
01/31/2013 11:49:40 NipsPolicy.cpp[588] WARNING  (2000) NipsExceptionsBuilder::Add() - nips exception Remote IP Address does not contain a valid IP Address or range [10.*.10.1].

1. Log on the ePO console.
2. Click Policy Catalog.
3. Select Host Intrusion Prevention 8.0:IPS from the Product drop-down.
4. Select IPS Rules (All Platforms) from the Category drop-down.
5. Click Edit Settings for the IPS Rules policy that you want to change.
   1. Click the Exception Rules tab.
   2. Click New.
   3. Provide an Exception Name.
   4. Select Enabled for Status.
   5. Click Add Signatures for the Signatures entry.
   6. Set the Type filter to Network IPS. 
   7. Select the Network IPS signature to add to the exception and click OK.
       
      NOTE: If no signature is added, the exception applies to all IPS signatures.
       
   8. Click New under Parameters.
      1. In the drop-down list, select (or manually type): Remote IP Address.
          
         NOTE: If the drop-down list does not display, make sure that you have enabled Compatibility Mode within the Internet Explorer browser.
          
      2. In the Value section, add a single IP address or an IP address range.
          
         NOTE: Other Remote IP Address parameters can be used in an IPS exception, but make sure that no other parameter names are used. A Network IPS exception accepts only the Remote IP Address parameter.
          
      3. Click OK.
          
   9. Click OK again to save the new IPS exception.
       
6. Click Save to save the new exception change to the IPS Rules policy.

You can also create a Network IPS exception from a Network IPS event. When you are viewing a Network IPS event, do the following:

1. Open the Actions menu and select New Exception (Host IPS 8.0).
2. Select the IPS Rules policy to which you want to add the exception. 
3. After you add the exception to your IPS Rules policy, modify the new rule to add or remove any additional information as needed.