- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-26-2016 01:15 AM - edited 07-26-2016 01:17 AM
Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....
We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.
Unfortunately I can only see three options, neither of which is viable due to the management overhead...
Anybody got any tricks up their sleeves?
Luke
07-26-2016 07:59 AM - edited 07-26-2016 08:00 AM
Those scans are really strange.
If firewall blocks then result is "interference".
If firewall does not block then result is "unneeded open services" (we use 1-to-1 static nat mapping).
One option is to push scan in 2 steps.
First without specific rules in place to see what regular internet users see and second scan with top rule that permits anything from Qualys IP's during scan period. Security profile "log only" for this traffic.
Also you have to set zone protection profile to log only during scan period. For second scan if you do it in 2 steps.
07-26-2016 06:29 PM
Thanks Raido, to clarify though they have no issues with ports being closed. Their issue is with the traffic on open ports being interfeared with by the threat prevention profile.
I did think about a single policy for all traffic from Qualys and have it operating on a sechedule, however as you say that will show unnecessary ports being opened.
Guess I just need to stick to the manual process and hope that PA release some sort of 'whitelisting' capability in a future release.
07-27-2016 04:05 PM
Hello,
I ran into this as well, here is what I did to work around the issue.
I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.
https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm
This way the scans can happen, are only from the vendors IP range and are not interfered with.
Hope this helps.
Cheers!
07-29-2016 05:49 AM - edited 07-29-2016 09:19 PM
I did think of that Otakar, although I would then have to deal with the old "unnecessary ports open" issue as ports would be open to servers that dont necessarily need it.
I'm not sure why it's so hard for PA to provide a whitelisting option like a traditional IPS.
Luke
09-06-2019 09:11 AM
We are trying to find a solution to this as well. How to whitelist the Qualys Scanner Ip's without opening up additional ports.
There has to be an easy way to just whitelist different IP ranges, without doing a
Source : QUalys, destination: Any: Port : Any, Action Allow: Which would in effect open up all the ports which is not what we want to do, just whitelist the Scanner so it doesn't alert for existing open ports.
03-29-2022 12:07 PM
Has there been any updates to this problem? Seems to still be an issue in 2022. How do we create a security policy that:
1) bypasses the IPS functions on the PAs
2) maintains the firewall functions without exposing additional internal address space or ports
3) without creating an exception for every IDS rule
07-11-2024 07:53 AM
Hi, we have the same problem, anyone found a solution without rewriting security rules specific for Qualys or other external scanner subnets?
Thanks
07-11-2024 08:03 AM
Hello,
I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.
https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm
https://success.qualys.com/support/s/article/000003528
Should look something like:
Source Address = Qualys IP ranges, destination Address = <Your External IP Ranges>, Allow everything, no filtering, log at session end
This way the scans can happen, are only from the vendors IP range and are not interfered with.
Hope this helps.
Cheers!
08-05-2024 05:45 AM - edited 08-05-2024 05:50 AM
Ok thanks but if you have bidirectional natted servers or 1-to-1 static nats, secured by policy rules, you'll expose all the ports of those servers to Qualys.
08-08-2024 07:59 AM
Hello,
You are correct. Hence the reason for the whitelisting and blocking all others etc.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!