Curious what other PAN companies are doing for this? What best practices around whitelisting your own Vuln mgmt internal and external scanners? When we asked PAN support, they recommended adding a new security policy to top, but that's not scalable because it needs to be updated each time we allow a new service or security rule inbound. Looking for advice from others here.
You can setup a dynamic rule which each time the rulebase is committed (I think it will recommit automagically every 5min if such rule exists) can fetch a textfile from one of your webservers and use that as allowed srcip (depending on how your dynamic rule is setup). The downside of this is obviously if some attacker can manipulate this textfile on your webserver (and suddently you allowed the attacker ip to bypass your firewall).
Another method might be to connect this to userid and let your vulnscanners login to your AD first to identify themselfs.
Other than that I think you should avoid to much automation specially when it comes to bypassing your firewalls because I guess there is a reason for why you have a firewall at all.
Personally I would create a static entry of which hosts are considered to be network scanners. Perhaps give them their own iprange which you then can move in your network (that is a vlan).
Mikand, excellent advice. I wanted to clarify that our ask is not to whitelist our network vuln scanner from getting THROUGH our PAN firewalls, but rather stop PAN from alerting on threats from our vuln mgmt IP address. It would be great if we could globally say don't alert threats from this IP as it's a known vuln scanner. ie: Qradar has this capability for this exact reason.
To clarify another way, the scanner is internal and we want a way to whitelist it from threats and traffic without having to create additional security policies at the top. This essentially would give it carte blanche access or require us to double every policy to skip this IP. Once again, Qradar has the feature to ignore threats or traffic from vuln scanners. (fyi)
Have you considered how this relates to the objectives for your vulnerability scanning?
The way I see it you may wish to scan for the following purposes:
If (1) then you put a rule up the top allowing the IP address with no threat protection profiles.
If (2) then you do nothing special regarding firewall configuration, you'll need to filter the logs.
On option (2), how would we filter the logs on the Palo w/out doubling any security policy the scanner would hit?
Apart from using a filter in the log viewer like (addr.src notin <vuln scanner ip>) I don't think there is a way to achieve this for the dashboards and reports. It would be a useful feature.
You could also consider shipping your logs off to a syslog server where you can use other filtering and reporting tools.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!