Firewall setting to reduce the FW interference for pen-test on a resource behind the FW

• PEN testing on the resource behind the Firewall

  • For compliance purposes or any other test, some organizations want to run the PEN testing to identify the vulnerabilities in the resources( such as servers, pc, and endpoints) behind the Firewalls. The frequently used scanners for such tests are Qualys, Rapid 7, and nesses. 
  • First, Firewall security administrators can be alarmed by the overwhelming amount of threat logs created by scanner attempts.
  • Second, the pen test will not be successful if the Firewall blocks all evasion and attack traffic before it reaches the server. 

• WildFire uploads phishing links and malware files.

  • If the WildFire profile is enabled, any weblink (phishing or link) uploads to WF. Then WF analyzed this link by visiting that website or phishing links that can count a PEN test success by mistake and spoil the results. 

• Vulnerability scanners such as Qualys, Rapid 7, Nessus or others.
• Any kind of pen-test
• Web servers, application servers or other resources behind the Firewall.
• PAN-OS 8.0.x and higher

This document covers the configuration steps to carefully allow the vulnerability scan for the resources behind the Firewall for a limited time and only a few scanner source IPs. This policy should only be enabled for a limited time for testing to reduce the threat surface by not exposing standard services. 

• Identify:

  • Please identify the security policies that can hit such traffic.
  • Please identify the source IP and time for PEN testing. 

• Plan of action:

  • Create a policy and enable it only when PEN testing is happening.
  • The time and pen-tester IP and time are known; we can use this information to create a security policy. 
    • Please create a new policy for such traffic with the source IP as pen-tester IP, destination IP as application-server( resource IP), and choose no security profiles. 
    • Be careful to enable this policy for a limited time when testing is done; otherwise, keep it disabled.

• Policy example:

  • Create a new Security Policy allowing the Scanner/tester IP to have access from/to your LAN following:
    • Name: Please give some helpful names, such as "allow-for-scanner."
    • Source Zone tab: Zone where the scanner belongs to. 
    • Source address tab: PEN-Tester or Scanner's IP address
    • Destination tab:  Destination Zone
    • Service/URL Category tab: ANY and  Action tab: allow.
    • Destination IP: IP address of the resource
    • Actions tab-> Profile Setting->Profile Type: None 
    • Schedule time: Enable a few hours or enable before running the test.
    • 
    • Place the new Security Policy( in this example, allow-for-scanner) above all security policies that can hit the traffic. Please ensure that when the scanner sends the traffic, this is the first policy that matches. 

•  Reconnaissance protection Exception:

  • Whitelist the scanner's IP from the reconnaissance protection if and only if reconnaissance protection is enabled in the ingress zone and the scanner is also running the reconnaissance test.
    • This setting can be done at  Network >Zone Protection >Zone Protection Profile >Reconnaissance Protection >Source Address Exclusion >Add
  • The list supports a maximum of 20 IP addresses or Netmask address objects.