Echoing last comment as the mentioned DOC URI is gone. Get's old quick my vuln scanners throwing up thousands of alerts each week every time they do a scan across (or in within) the same/different zones.
There is a feature request # 1910.
Whitelisting with Zone Protection (Reconnaissance). We have a handful of vulnerability scanners on campus use to scan our hosts and they are getting block by the zone protection profile. We are wondering if there is a feature request for providing a white list to not get block by the zone protection profile.
This FR has been open for at least 2 years. If you are interested, contact your sales person and sales engineer to add your company/name to the FR.
The Last update that I got was, it is been consider in PAN OS 8.0, no confirmation yet.
How about combining two zone protection profiles? One that is aggressive, for the Untrust zone, and one that is permissive for the Trust zone, that will allow your "friendly" IPs to scan. Than create GP gateway for friendly IPs, push them the route towards Trust / DMZ / whatever you are scanning, and sort them out in their own "scanners" zone. Once they start scanning only permissive profile from the Trust zone will be applied to their scans, allowing them to finish the job. They are coming from separate scanners zone thus esily circumventing aggressive blocking profile on the Untrust zone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!