07-26-2016 01:15 AM - edited 07-26-2016 01:17 AM
Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....
We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.
Unfortunately I can only see three options, neither of which is viable due to the management overhead...
Anybody got any tricks up their sleeves?
07-26-2016 07:59 AM - edited 07-26-2016 08:00 AM
Those scans are really strange.
If firewall blocks then result is "interference".
If firewall does not block then result is "unneeded open services" (we use 1-to-1 static nat mapping).
One option is to push scan in 2 steps.
First without specific rules in place to see what regular internet users see and second scan with top rule that permits anything from Qualys IP's during scan period. Security profile "log only" for this traffic.
Also you have to set zone protection profile to log only during scan period. For second scan if you do it in 2 steps.
07-26-2016 06:29 PM
Thanks Raido, to clarify though they have no issues with ports being closed. Their issue is with the traffic on open ports being interfeared with by the threat prevention profile.
I did think about a single policy for all traffic from Qualys and have it operating on a sechedule, however as you say that will show unnecessary ports being opened.
Guess I just need to stick to the manual process and hope that PA release some sort of 'whitelisting' capability in a future release.
07-27-2016 04:05 PM
I ran into this as well, here is what I did to work around the issue.
I created a policy above all the other polices that sourced from the Qualys IP range to my external IP's and disabled threat profiles.
This way the scans can happen, are only from the vendors IP range and are not interfered with.
Hope this helps.
07-29-2016 05:49 AM - edited 07-29-2016 09:19 PM
I did think of that Otakar, although I would then have to deal with the old "unnecessary ports open" issue as ports would be open to servers that dont necessarily need it.
I'm not sure why it's so hard for PA to provide a whitelisting option like a traditional IPS.
09-06-2019 09:11 AM
We are trying to find a solution to this as well. How to whitelist the Qualys Scanner Ip's without opening up additional ports.
There has to be an easy way to just whitelist different IP ranges, without doing a
Source : QUalys, destination: Any: Port : Any, Action Allow: Which would in effect open up all the ports which is not what we want to do, just whitelist the Scanner so it doesn't alert for existing open ports.
03-29-2022 12:07 PM
Has there been any updates to this problem? Seems to still be an issue in 2022. How do we create a security policy that:
1) bypasses the IPS functions on the PAs
2) maintains the firewall functions without exposing additional internal address space or ports
3) without creating an exception for every IDS rule
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!