Considerations for accurate vulnerability/compliance scanning through firewall
12158
Created On 06/18/19 00:18 AM - Last Modified 06/02/23 19:31 PM
Symptom
There are some special considerations if you wish to allow vulnerability/compliance scanning through the Palo Alto NGFW.
Configurations you may normally apply to your production traffic might cause issues with these scans such as:
- False positives
- False negatives
- Incomplete/failed scans
Cause
Different features could affect the scan results, such as:
- Zone Protection
- Flood Protection
- Depending on how aggressively tuned the scanner configuration is, flood protection might get triggered and affect results
- Reconnaissance Protection
- Scanners searching for devices on the network can trigger host sweep protection and affect results
- Scanners searching for services on those devices can trigger port scan protection and affect results
- Packet based attack protection
- May affect OS fingerprinting attempts in some cases
- Service Categories
- Scanners may do protocol checks on non-standard ports, which may be dropped due to the "application-default" service being used.
- Security Profiles (vulnerability, etc)
- though scanners may not actively exploit the vulnerabilities, the scanning behavior could still trigger protection measures on the firewall and affect results
- Decryption
- Since certificates used for decryption on the NGFW are different than the ones actually used by the end systems; this could result in either a false positive or false negative, depending on what the scanner is validating exactly and what the end systems were ultimately configured for.
Additional Information
In order to get accurate reporting, you will want minimal interference from the firewall without affecting the ongoing protection of your network.
- Policies > Security > Source > [Restrict to specific scanner zone(s) & IP(s) of the scanner(s)]
- Policies > Security > Destination > [Restrict to specific zone(s) & network(s) being scanned]
- Policies > Security > Service Categories > ANY
- Policies > Security > Actions > Profile Setting > Profile Type > NONE
- Policies > Security > Actions > Other Settings > Schedule > [If your scanner is set on a schedule and you don't intend to do on-demand scanning, you can restrict the policy to the same schedule as the scanner]
- Policies > Decryption > [Ensure decryption is not configured or an exception is configured for the scanner]
- Network > Zones > [zone-name] > Zone protection > NONE
Note regarding policy placement:
- Remember to move the security policy high enough on the policy chain for the scanner traffic only to match the policy intended for it.
Note regarding zone protection:
- In case it's not possible to isolate the scanner to its own zone and you wish to have zone protection enabled for other systems in the zone; just be sure to tune the rates in the zone protection profile to tolerate the rates sent by the scanner. Many scanners can tune their rates of scanning, which you can use as a point of reference to tune the zone protection values.