The Bypass ePO Requests rule set is a library rule set for allowing requests from a Trellix ePO server to bypass filtering rules on an appliance.
|Library rule set – Bypass ePO Requests|
|Criteria – Command.Name equals “CONNECT”|
|Cycles – Requests (and IM)|
The rule set criteria specifies that the rule set applies when the SSL-secured communication between an ePO™ server and an appliance begins with a request from the server to connect to the appliance.
The rule set contains the following rule.
Skip subsequent rules for ePO requests
URL.Host equals “127.0.0.1” OR URL.Host equals “[::1]” –> Stop Cycle – Enable SSL Client Context<Default CA> –Enable SSL Scanner <Certificate verification without edh>
The rule uses the URL.Host property to identify the host of a requested URL, based on the IP address of the host.
If this address is 127.0.0.1, the host of the requested URL is the appliance. When the ePO™ server sends a request to connect to the appliance, it uses this address.
So if 127.0.0.1 is the requested address, the rule applies and stops all further processing in the request cycle. This way the CONNECT request is allowed to pass through.
The next step in this process is sending and verifying certificates. The rule includes an event to enable the sending of a client certificate that is issued by the default certificate authority.
You can modify the event settings to have the certificate issued by another authority.
When certificate verification has been completed, the SSL-secured communication can go ahead.