05-20-2014 02:34 PM
I have a highly regulated environment with multiple internal security zones. We need to be able to run our vulnerability scanning solution against servers in separate zones on a routine basis.
It was simple to exempt the scanner's IP from the Threat Prevention stuff (created a new security profile group which alerts on everything instead of blocking, and created a rule in the ACL to match against the scanner IP).
However, the vulnerability scanner is still prevented from completing its job because of zone protection (specifically, port scanning). I would hate to have to disable the zone protection rules or change them to alert EVERY time we wish to run a scan.
Any wonderful ideas?
