Considerations for configuring APM Resource Protection whitelist

book

Article ID: 167977

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Only individual IP addresses or circuits can be placed on APM Resource Protection whitelist.Only individual IP addresses or circuits can be placed on APM Resource Protection whitelist.

Cause

The whitelist in APM Resource Protection allows to define trusted hosts that will not be subject to detection and mitigation. The current implementation accepts up to 100 specific IP addresses:
 
CBS# configure apm-resource-protection
CBS(conf-apm-res-protection)# enable
CBS(conf-apm-res-protection)# white-list
CBS(conf-apm-res-prot-white-list)# ip 192.168.1.1
CBS(conf-apm-res-prot-white-list)# ip 192.168.1.2
CBS(conf-apm-res-prot-white-list)# ip 192.168.1.3
...

The CLI doesn't allow to configure an IP subnet.

Resolution

N/A

Workaround

If a large number of hosts behind a single circuit needs to be on the whitelist, consider to put the circuit itself in the whitelist configuration instead of individual hosts:

CBS(conf-apm-res-protection)# white-list
CBS(conf-apm-res-prot-white-list)# circuit dmz