By default, Cognito will consider all private IP address space (RFC 1918) as being internal to your network.
Cognito can be configured to handle segments from within the private ip space to be considered outside your network.
Under Settings, Vectra, Private IPs outside your network (CIDR), you can specify one or more network ranges to fall in this category:
This can also be completed via VCLI commands as Vectra user on the brain. Please note the commands are not available on sensors as these settings are global.
set capture-network < network > < internal | external | drop >
set capture-network network 10.10.10.10/32 drop
set capture-network network 22.214.171.124/16 internal
There are three possible settings per subnet:
- Internal: The subnet is internal to the environment. Detections will be triggered for these hosts. All RFC-1918 addresses are considered internal in the default configuration.
- External: The subnet is external to the environment, should not be trusted and detections will only be triggered for these hosts if they communicate with internal hosts. All valid non-RFC-1918 addresses are considered external in the default configuration.
- Drop: All traffic related to the subnet is dropped. The drop IP is a global setting affecting the Brain and the paired sensors which will drop the packet at the capture ports and therefore will not be used in any traffic analysis. No detections will be generated for these hosts.
set capture-vlan < vlan > drop
set capture-vlan 100 drop
To remove :
unset capture-network [OPTIONS] [NETWORKS]... [internal|external|drop]
unset capture-vlan [OPTIONS] VLAN [drop]