Skip to main content

Adding and Configuring an IP Whitelist in NxtFireGuard

In this guide, you'll learn how to create, configure, and apply an IP whitelist in NxtFireGuard. A whitelist is a list of IP addresses or ranges that you trust to bypass threat detection. This feature ensures NxtFireGuard excludes specified IPs or subnets from processing.

πŸ“ What is an IP Whitelist?​

An IP Whitelist is a set of IP addresses or subnets marked as trusted, allowing them to bypass security measures that would typically apply. Use this feature to ensure that NxtFireGuard doesn't inadvertently block trusted traffic from specific IPs or networks.

πŸ›  Step-by-Step Guide to Creating a Whitelist​

Follow these steps to create a new IP whitelist in NxtFireGuard:

  1. Open the Whitelist Menu

    • Go to Whitelists and click the + button to create a new whitelist.

  2. Name the Whitelist

    • Give your whitelist a descriptive name. This can be changed at any time. Create the whitelist

  3. Configure the Whitelist

    • Click the Edit button to access whitelist settings.

    The Edit page includes two sections:

    • Section 1: Subnets - Add subnets or single IPs to be whitelisted.
    • Section 2: Apply Whitelist - Apply the whitelist on a per-host or per-blocklist basis, or both.

🌐 How to Add a Subnet or Single IP​

To add specific IPs or subnets to your whitelist:

  1. Click the + Button

    • Open the Subnets section and click the + button to add an IP or subnet.

  2. Enter a Description

    • Provide a description for the IP or subnet in the Description column to help identify its purpose.

  3. Input the Subnet or Single IP

    • Enter the IP address or subnet in the Subnet column.

  4. Set the Netmask

    • Specify the netmask using CIDR notation. For a single IP, use a /32 mask to apply the rule to just that address.

  5. Save the Subnet or IP

    • Click Done to save your entry.

  • Adding the subnet 192.168.1.0/24 to the Whitelist. Add subnet

  • Adding the IP 10.0.0.10/32 to the Whitelist. Add IP

πŸ”„ Applying the Whitelist​

The IP whitelist can be applied on either a per-host or per-blocklist basis to control where it takes effect.

Note: Whitelisted IPs won’t trigger alerts or be processed if they meet certain conditions defined in the per-host or per-blocklist settings.

Applying the Whitelist on a Per-Host Basis πŸ–₯​

This application method ensures that any threat logs from specific hosts containing a whitelisted IP in the source field are ignored.

Conditions:

  • Condition 1: The host sending the alert must be part of the Applied Hosts list.
  • Condition 2: The threat log’s source_ip must match an IP in the Whitelisted Subnets.

Example: Apply the whitelist to docs-paloalto and docs-firepower hosts. Apply whitelist on a per host basis

Result: Alerts from docs-paloalto and docs-firepower that contain a source IP within the whitelisted subnets (192.168.1.0/24 or 10.0.0.10/32) won’t be processed.

Applying the Whitelist on a Per-Blocklist Basis πŸ›‘β€‹

This option allows the whitelist to exempt certain blocklists from blocking specific IPs.

Conditions:

  • Condition 1: The host sending the alert must contribute to a blocklist included in Applied Blocklists.
  • Condition 2: The threat log’s source_ip must be within one of the Whitelisted Subnets.

Example: Apply the whitelist to Demo-Blocklist-1. Apply whitelist on a per blocklist basis

Result: Alerts for the Demo-Blocklist-1 blocklist containing source IPs within whitelisted subnets (192.168.1.0/24 or 10.0.0.10/32) won’t be processed.

Combined Example: Apply Whitelist to Hosts and Blocklist​

To ensure both the hosts (docs-paloalto, docs-firepower) and the blocklist Demo-Blocklist-1 are exempt from processing alerts triggered by whitelisted IPs:

  1. Apply the whitelist to the docs-paloalto and docs-firepower hosts.
  2. Apply the whitelist to the Demo-Blocklist-1 blocklist. Each blocklist has hosts that contribute alerts to it, and applying the whitelist to a blocklist ensures that whitelisted IPs from any contributing hosts are exempt from this Blocklist.

Apply whitelist combined on per host and per blocklist

Result: Any alert originating from docs-paloalto or docs-firepower, or any host contributing to Demo-Blocklist-1, will bypass processing if the alert's source IP matches a whitelisted IP or subnet (192.168.1.0/24 or 10.0.0.10/32).


This configuration provides maximum flexibility, ensuring that trusted IPs or subnets can be applied broadly to individual hosts and blocklists that aggregate input from multiple sources.

If you have questions or need further help, our support team is available: Contact Support.