Threat Prevention - Qualys PCI

Reply
L1 Bithead

Threat Prevention - Qualys PCI

Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....

 

  1. We have threat prevention profiles applied to security policies relating to traffic entering our DMZ from the internet.
  2. We have PCI obligations and use Qualys' PCI scanning services.
  3. We are receiving a PCI fail during the scanning process due to the threat prevention profiles doing their job (blocking the attempts)

 

We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.

 

Unfortunately I can only see three options, neither of which is viable due to the management overhead...

 

  1. Adding IP exclusions against every threat signature, or
  2. Duplicating every security policy - for each of the duplicated policies adding Qualys' IP addresses to the source address list, removing the threat prevention profile and ensuring it's ordered such that it is processed before the rule containing the threat prevention profile.
  3. Disabling the threat prevention profiles on each rule during the scan.

Anybody got any tricks up their sleeves?

 

Luke

L7 Applicator

Re: Threat Prevention - Qualys PCI

Those scans are really strange.

If firewall blocks then result is "interference".

If firewall does not block then result is "unneeded open services" (we use 1-to-1 static nat mapping).

 

One option is to push scan in 2 steps.

First without specific rules in place to see what regular internet users see and second scan with top rule that permits anything from Qualys IP's during scan period. Security profile "log only" for this traffic.

 

Also you have to set zone protection profile to log only during scan period. For second scan if you do it in 2 steps.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L1 Bithead

Re: Threat Prevention - Qualys PCI

Thanks Raido, to clarify though they have no issues with ports being closed. Their issue is with the traffic on open ports being interfeared with by the threat prevention profile.

 

I did think about a single policy for all traffic from Qualys and have it operating on a sechedule, however as you say that will show unnecessary ports being opened.

 

Guess I just need to stick to the manual process and hope that PA release some sort of 'whitelisting' capability in a future release.

L7 Applicator

Re: Threat Prevention - Qualys PCI

Hello,

I ran into this as well, here is what I did to work around the issue.

 

I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.

https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

 

This way the scans can happen, are only from the vendors IP range and are not interfered with. 

 

Hope this helps.

 

Cheers!

 

 

L1 Bithead

Re: Threat Prevention - Qualys PCI

I did think of that Otakar, although I would then have to deal with the old "unnecessary ports open" issue as ports would be open to servers that dont necessarily need it.

 

I'm not sure why it's so hard for PA to provide a whitelisting option like a traditional IPS.

 

Luke

L0 Member

Re: Threat Prevention - Qualys PCI

We are trying to find a solution to this as well.    How to whitelist the Qualys Scanner Ip's without opening up additional ports. 

There has to be an easy way to just whitelist different IP ranges, without doing a

 

Source : QUalys,  destination:  Any:   Port : Any,    Action Allow:    Which would in effect open up all the ports which is not what we want to do, just whitelist the Scanner so it doesn't alert for existing open ports.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!