How to Disable AiProtection By Mac Address

[Neil62]

Does anybody know how you can totally disable/bypass the use of ASUS AiProtection/whitelist for a certain nominated Mac addresse/s from the web GUI screens?

Is this even Possible or not? I cant seem to find a way by Mac address, i.e bypass/don't use AiProtection for this mac address.

 

[Jason A]

Does anybody know how you can totally disable/bypass the use of ASUS AiProtection/whitelist for a certain nominated Mac addresse/s from the web GUI screens?

Is this even Possible or not? I cant seem to find a way by Mac address, i.e bypass/don't use AiProtection for this mac address.

No

 

[Adrian Knight]

another question would be, does the device listed in the DMZ be excluded from AiProtection?

 

[AndreiV]

AIProtection would be totally pointless if you open a door to exploits .

It protects the router against exploits and inspects the traffic even before it reaches the firewall.

 

[Neil62]

As an administrator of the router the decision should be left to the administrator, and why not have the option as an administrator by mac addresses/s?

 

[AndreiV]

You either want security or you don't.

It's like fitting security locks to protect your house then leaving the back door open for your mates ........ and then anyone else that wants to come in

 

[Adrian Knight]

As an administrator of the router the decision should be left to the administrator, and why not have the option as an administrator by mac addresses/s?

Totally agree with you on this, but it looks like another half thought out idea.

I do not use AiProtection, but probably would if I could turn it on for only guest networks, but then we go into the issue of guest networks not working with AiMess etc ...

 

[AndreiV]

Totally agree with you on this, but it looks like another half thought out idea.

I do not use AiProtection, but probably would if I could turn it on for only guest networks, but then we go into the issue of guest networks not working with AiMess etc ...

So, you think it a good idea to bypass security for one device and allow in the exploits and malware that AiProtection is there to stop?

You enforce security on some devices but not your own thereby infecting your router and the rest of your network ?

That is well thought out?

 

[Adrian Knight]

So, you think it a good idea to bypass security for one device and allow in the exploits and malware that AiProtection is there to stop?

You enforce security on some devices but not your own thereby infecting your router and the rest of your network ?

That is well thought out?

Actually no, our own in house devices have their own protection, but maybe not our customers devices, so I think it would be a good idea to protect them.

 

[AndreiV]

Actually no, our own in house devices have their own protection, but maybe not our customers devices, so I think it would be a good idea to protect them.

Which is exactly the reason GUEST WiFi on your router offers the settings to prevent the use of your Intranet.

 

[Neil62]

My point is this, if those devices which are nominated by mac address to bypass AiProection, and assuming the administrator of the router has taken all security risks into consideration, i.e. are running their own security (rules of administrator), you should be able to by pass AiProtection, deemed by the administrator of that router for that nominated device, all/any others (devices/Guests), use AiProtection should it be enabled. It should be an administrator decision at the end of the day. Why have a software restriction, it should be decision (Administrator) based?.
How many people actuality use the AiProtection provided by ASUS, its disabled on startup by default anyway?

 

[DummyPLUG]

So, you think it a good idea to bypass security for one device and allow in the exploits and malware that AiProtection is there to stop?

You enforce security on some devices but not your own thereby infecting your router and the rest of your network ?

That is well thought out?

Just because you don't have any problem doesn't means it is not a good decision, in one of our network we are using CCR1072 as main router which the main part of the network is protect by some firewall, the asus is behind the ccr1072 and have it own public IP to provide wifi for our guest, we had enable aiprotection as it is bettter then nothing for our guest, but from time to time we have some guest device that is outdate/strange enough to trigger aiprotection so we need to disable aiprotection for all guest. We don't use our firewall to protect the asus as it had very strict rule which will just give trouble to our guest, and not powerful enough to protect the whole network. If we can just disable for the specific device only we still can get notification when something happen. Now you tell me do you think it is a bad idea?

p.s. why we using asus for guest wifi? because it is much cheaper then business class AP, but we are phasing out all AC68u due to some bug

 

[AndreiV]

If we can just disable for the specific device only we still can get notification when something happen. Now you tell me do you think it is a bad idea?

Yes, it is a totally stupid idea.

AiProtection has several selectable functions , the main function is intrusion protection , if you bypass that protection for one device , your router and ALL attached devices are exposed .


https://www.asus.com/AiProtection/
https://www.asus.com/support/FAQ/1012070/

 

[DummyPLUG]

Yes, it is a totally stupid idea.

AiProtection has several selectable functions , the main function is intrusion protection , if you bypass that protection for one device , your router and ALL attached devices are exposed .


https://www.asus.com/AiProtection/
https://www.asus.com/support/FAQ/1012070/

We don't rely on aiprotection for protection, we use fortigate and checkpoint to protect our main network, as I said, aiprotection is just a "better then nothing" solution for our guest.
By the way our guest can still infect each others even if nothing is bypass

 

[AndreiV]

We don't rely on aiprotection for protection, we use fortigate and checkpoint to protect our main network, as I said, aiprotection is just a "better then nothing" solution for our guest.
By the way our guest can still infect each others even if nothing is bypass

But the ASUS guest settings prevent your guests seeing each other or your network .

The Guest Network provides Internet connection for guests but restricts access to your local network.

 

[Adrian Knight]

But the ASUS guest settings prevent your guests seeing each other or your network .

How do you know how others want to configure their network? You made this same comment to me, and the reply would be "Our customers need to connect to our intranet to access file servers"

 

[JasonPearce]

AIProtection would be totally pointless if you open a door to exploits .

It protects the router against exploits and inspects the traffic even before it reaches the firewall.

AiProtection inspects both egress and ingress traffic, taking action (permitting or blocking) on traffic in either direction. No only does it project your network from the internet, but it protects the internet from your network.

Most of your comments have been about ingress traffic. But some users might want to disable egress traffic inspection from specific machines in their network. I can think of three likely examples.

Cryptocurrency Mining:
AiProtection will block egress traffic from a cryptocurency miner. A user may want to use AiProtection to block all ingress traffic, but permit egress traffic from her miner.

Kali Linux:
Or similar penetration testing Linux distributions will also have egress traffic blocked by AiProtection. A security-minded researcher would still want AiProtection to inspect her ingress traffic, but would want to whitelist her Kali Linux machine.

False Positives:
I've noticed users complaining about potential false positives. If AiProtection is falsely blocking outgoing traffic from their web cam, media player, or NAS; their only means of enabling that outgoing traffic to the internet is to disable both egress and ingress monitoring by AiProtection. If the network admin could simply whitelist a MAC or IP, then the rest of her network would remain protected.​

Without the ability to whitelist netflow to specific machines within a network, AiProtection will inspect and potentially block all egress and ingress traffic. It shouldn't be all or nothing. There are conditions where an admin will want to selectively control exceptions.

 

[badbob001]

I suppose an easy workaround is to install a second asus router with aiprotection disabled and have the special-case systems connect to that. Maybe you can isolate this router in a dmz so it only has access to the internet.

I do wish asus would make aiprotection more flexible. For example, I wish time scheduling and web/app filters were combined so that I can schedule when to block certain web/apps instead of just blocking all internet access. This would also required that the list allow for duplicate client entries so I can block certain things on one schedule and block others on another schedules.