topic Re: Threat Prevention - Qualys PCI in General Topics

Threat Prevention - Qualys PCI

GMHBA — Tue, 26 Jul 2016 08:17:00 GMT

Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....

We have threat prevention profiles applied to security policies relating to traffic entering our DMZ from the internet.
We have PCI obligations and use Qualys' PCI scanning services.
We are receiving a PCI fail during the scanning process due to the threat prevention profiles doing their job (blocking the attempts)

We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.

Unfortunately I can only see three options, neither of which is viable due to the management overhead...

Adding IP exclusions against every threat signature, or
Duplicating every security policy - for each of the duplicated policies adding Qualys' IP addresses to the source address list, removing the threat prevention profile and ensuring it's ordered such that it is processed before the rule containing the threat prevention profile.
Disabling the threat prevention profiles on each rule during the scan.

Anybody got any tricks up their sleeves?

Luke

Re: Threat Prevention - Qualys PCI

Raido_Rattameister — Tue, 26 Jul 2016 15:00:52 GMT

Those scans are really strange.

If firewall blocks then result is "interference".

If firewall does not block then result is "unneeded open services" (we use 1-to-1 static nat mapping).

One option is to push scan in 2 steps.

First without specific rules in place to see what regular internet users see and second scan with top rule that permits anything from Qualys IP's during scan period. Security profile "log only" for this traffic.

Also you have to set zone protection profile to log only during scan period. For second scan if you do it in 2 steps.

Re: Threat Prevention - Qualys PCI

GMHBA — Wed, 27 Jul 2016 01:29:52 GMT

Thanks Raido, to clarify though they have no issues with ports being closed. Their issue is with the traffic on open ports being interfeared with by the threat prevention profile.

I did think about a single policy for all traffic from Qualys and have it operating on a sechedule, however as you say that will show unnecessary ports being opened.

Guess I just need to stick to the manual process and hope that PA release some sort of 'whitelisting' capability in a future release.

Re: Threat Prevention - Qualys PCI

OtakarKlier — Wed, 27 Jul 2016 23:05:52 GMT

Hello,

I ran into this as well, here is what I did to work around the issue.

I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.

https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

This way the scans can happen, are only from the vendors IP range and are not interfered with.

Hope this helps.

Cheers!

Re: Threat Prevention - Qualys PCI

GMHBA — Sat, 30 Jul 2016 04:19:06 GMT

I did think of that Otakar, although I would then have to deal with the old "unnecessary ports open" issue as ports would be open to servers that dont necessarily need it.

I'm not sure why it's so hard for PA to provide a whitelisting option like a traditional IPS.

Luke

Re: Threat Prevention - Qualys PCI

Ecaballero — Fri, 06 Sep 2019 16:11:46 GMT

We are trying to find a solution to this as well. How to whitelist the Qualys Scanner Ip's without opening up additional ports.

There has to be an easy way to just whitelist different IP ranges, without doing a

Source : QUalys, destination: Any: Port : Any, Action Allow: Which would in effect open up all the ports which is not what we want to do, just whitelist the Scanner so it doesn't alert for existing open ports.

Re: Threat Prevention - Qualys PCI

johnlewis — Tue, 29 Mar 2022 19:07:04 GMT

Has there been any updates to this problem? Seems to still be an issue in 2022. How do we create a security policy that:
1) bypasses the IPS functions on the PAs
2) maintains the firewall functions without exposing additional internal address space or ports
3) without creating an exception for every IDS rule

Re: Threat Prevention - Qualys PCI

Stefano-iQera — Thu, 11 Jul 2024 14:53:42 GMT

Hi, we have the same problem, anyone found a solution without rewriting security rules specific for Qualys or other external scanner subnets?

Thanks

Re: Threat Prevention - Qualys PCI

OtakarKlier — Thu, 11 Jul 2024 15:03:20 GMT

Hello,

I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.

https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

https://success.qualys.com/support/s/article/000003528

Should look something like:

Source Address = Qualys IP ranges, destination Address = <Your External IP Ranges>, Allow everything, no filtering, log at session end

This way the scans can happen, are only from the vendors IP range and are not interfered with.

Hope this helps.

Cheers!

Re: Threat Prevention - Qualys PCI

Stefano-iQera — Mon, 05 Aug 2024 12:50:23 GMT

Ok thanks but if you have bidirectional natted servers or 1-to-1 static nats, secured by policy rules, you'll expose all the ports of those servers to Qualys.

Re: Threat Prevention - Qualys PCI

OtakarKlier — Thu, 08 Aug 2024 14:59:31 GMT

Hello,

You are correct. Hence the reason for the whitelisting and blocking all others etc.

Regards,