Threat Prevention - Qualys PCI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Threat Prevention - Qualys PCI

L1 Bithead

Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....

 

  1. We have threat prevention profiles applied to security policies relating to traffic entering our DMZ from the internet.
  2. We have PCI obligations and use Qualys' PCI scanning services.
  3. We are receiving a PCI fail during the scanning process due to the threat prevention profiles doing their job (blocking the attempts)

 

We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.

 

Unfortunately I can only see three options, neither of which is viable due to the management overhead...

 

  1. Adding IP exclusions against every threat signature, or
  2. Duplicating every security policy - for each of the duplicated policies adding Qualys' IP addresses to the source address list, removing the threat prevention profile and ensuring it's ordered such that it is processed before the rule containing the threat prevention profile.
  3. Disabling the threat prevention profiles on each rule during the scan.

Anybody got any tricks up their sleeves?

 

Luke

10 REPLIES 10

Cyber Elite
Cyber Elite

Those scans are really strange.

If firewall blocks then result is "interference".

If firewall does not block then result is "unneeded open services" (we use 1-to-1 static nat mapping).

 

One option is to push scan in 2 steps.

First without specific rules in place to see what regular internet users see and second scan with top rule that permits anything from Qualys IP's during scan period. Security profile "log only" for this traffic.

 

Also you have to set zone protection profile to log only during scan period. For second scan if you do it in 2 steps.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks Raido, to clarify though they have no issues with ports being closed. Their issue is with the traffic on open ports being interfeared with by the threat prevention profile.

 

I did think about a single policy for all traffic from Qualys and have it operating on a sechedule, however as you say that will show unnecessary ports being opened.

 

Guess I just need to stick to the manual process and hope that PA release some sort of 'whitelisting' capability in a future release.

Hello,

I ran into this as well, here is what I did to work around the issue.

 

I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.

https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

 

This way the scans can happen, are only from the vendors IP range and are not interfered with. 

 

Hope this helps.

 

Cheers!

 

 

I did think of that Otakar, although I would then have to deal with the old "unnecessary ports open" issue as ports would be open to servers that dont necessarily need it.

 

I'm not sure why it's so hard for PA to provide a whitelisting option like a traditional IPS.

 

Luke

We are trying to find a solution to this as well.    How to whitelist the Qualys Scanner Ip's without opening up additional ports. 

There has to be an easy way to just whitelist different IP ranges, without doing a

 

Source : QUalys,  destination:  Any:   Port : Any,    Action Allow:    Which would in effect open up all the ports which is not what we want to do, just whitelist the Scanner so it doesn't alert for existing open ports.

 

 

L0 Member

Has there been any updates to this problem? Seems to still be an issue in 2022. How do we create a security policy that:
1) bypasses the IPS functions on the PAs
2) maintains the firewall functions without exposing additional internal address space or ports
3) without creating an exception for every IDS rule

L1 Bithead

Hi, we have the same problem, anyone found a solution without rewriting security rules specific for Qualys or other external scanner subnets?

Thanks

Cyber Elite
Cyber Elite

Hello,

I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.

https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

https://success.qualys.com/support/s/article/000003528

 

Should look something like:

 

Source Address = Qualys IP ranges, destination Address = <Your External IP Ranges>, Allow everything, no filtering, log at session end

 

This way the scans can happen, are only from the vendors IP range and are not interfered with. 

 

Hope this helps.

 

Cheers!

L1 Bithead

Ok thanks but if you have bidirectional natted servers or 1-to-1 static nats, secured by policy rules, you'll expose all the ports of those servers to Qualys.

Cyber Elite
Cyber Elite

Hello,

You are correct. Hence the reason for the whitelisting and blocking all others etc.

Regards,

  • 7598 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!