Follow

How do I exclude subnets from detections and host counts?

By default, Cognito will consider all private IP address space (RFC 1918) as being internal to your network.

Cognito can be configured to handle segments from within the private ip space to be considered outside your network.

Under Settings, Vectra, Private IPs outside your network (CIDR), you can specify one or more network ranges to fall in this category:

excludesubnets.png

This can also be completed via VCLI commands as Vectra user on the brain. Please note the commands are not available on sensors as these settings are global.

set capture-network < network > < internal | external | drop >

Examples:
set capture-network network 10.10.10.10/32 drop
set capture-network network 192.167.0.0/16 internal

There are three possible settings per subnet:

  • Internal: The subnet is internal to the environment. Detections will be triggered for these hosts. All RFC-1918 addresses are considered internal in the default configuration.
  • External: The subnet is external to the environment, should not be trusted and detections will only be triggered for these hosts if they communicate with internal hosts. All valid non-RFC-1918 addresses are considered external in the default configuration.
  • Drop: All traffic related to the subnet is dropped. The drop IP is a global setting affecting the Brain and the paired sensors which will drop the packet at the capture ports and therefore will not be used in any traffic analysis. No detections will be generated for these hosts.
set capture-vlan < vlan > drop

Example:
set capture-vlan  100 drop

To remove :

unset capture-network [OPTIONS] [NETWORKS]... [internal|external|drop]
unset capture-vlan [OPTIONS] VLAN [drop]
Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.