I have a highly regulated environment with multiple internal security zones. We need to be able to run our vulnerability scanning solution against servers in separate zones on a routine basis.
It was simple to exempt the scanner's IP from the Threat Prevention stuff (created a new security profile group which alerts on everything instead of blocking, and created a rule in the ACL to match against the scanner IP).
However, the vulnerability scanner is still prevented from completing its job because of zone protection (specifically, port scanning). I would hate to have to disable the zone protection rules or change them to alert EVERY time we wish to run a scan.
Any wonderful ideas?
There is a workaround to do this by creating and zone without any zone protection and use the IPs that you would like to be exempted as the loopback interface IP.
The steps required can be found here.
How to Exempt a Specific IP address from Zone Protection
Hope this works for you.
Thanks for you reply.
However it does not quite fit the scenario I am after. This seems like it would only work if you opened up one of your PUBLIC IPs. At that, it appears it would open up that public ip to port scanning from anywhere.
All devices in this scenario are internal. There is no NAT. The vulnerablity appliance is internal and has a static IP. We need to be able to scan devices in other "internal" zones.. and would like to open up port scanning from only the source vulnerability scanner.. and no other IPs.
We experienced a similar challenge and needed to allow our QSVs vulnerability scanners to bypass IDS/IPS and scan unobstructed for vulnerabilities. We achieved this by adding a Security Rule to allow the scanner IPs (no profiles) on TCP.
This eliminated the Scan Interference our QSV scanners were experiencing. This same approach should work internal-to-internal also.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!