Hi all, I have a bit of a dilema here and hoping somebody may have some ideas....
- We have threat prevention profiles applied to security policies relating to traffic entering our DMZ from the internet.
- We have PCI obligations and use Qualys' PCI scanning services.
- We are receiving a PCI fail during the scanning process due to the threat prevention profiles doing their job (blocking the attempts)
We've been told that if we wish for our scans to become compliant we need to whitelist their IP addresses so that their scanners are not interfeared with.
Unfortunately I can only see three options, neither of which is viable due to the management overhead...
- Adding IP exclusions against every threat signature, or
- Duplicating every security policy - for each of the duplicated policies adding Qualys' IP addresses to the source address list, removing the threat prevention profile and ensuring it's ordered such that it is processed before the rule containing the threat prevention profile.
- Disabling the threat prevention profiles on each rule during the scan.
Anybody got any tricks up their sleeves?
Luke
