Views:
If you are using a vulnerability management provider such as Qualys or Nessus (for PCI compliance, for example), you need to set up Server & Workload Protection to bypass or allow this provider’s scan traffic through untouched.
After these firewall rules have been assigned to the new policy, Server & Workload Protection will ignore ANY traffic from the IPs you have added in your IP List.
Server & Workload Protection will not scan the vulnerability management provider traffic for stateful issues or vulnerabilities - it will be allowed through untouched.

Create a new IP list from the vulnerability scan provider IP range or addresses Parent topic

Have handy the IP addresses that the vulnerability scan provider has given you.

Procedure

  1. In the Server & Workload Protection console, go to Policies.
  2. In the left pane, expand Lists IP Lists.
  3. Click New New IP List.
  4. Type a Name for the new IP List, for example "Qualys IP list".
  5. Paste the IP addresses that the vulnerability management provider has given you into the IP(s) box, one per line.
  6. Click OK.

What to do next

Create firewall rules for incoming and outbound scan traffic Parent topic

After you’ve created the IP list, you need to create two firewall rules: one for incoming and one for outgoing traffic. Name them as suggested, below:
<name of provider> Vulnerability Traffic - Incoming
<name of provider> Vulnerability Traffic - Outgoing

Procedure

  1. In the Server & Workload Protection console, click Policies.
  2. In the left pane, expand Rules.
  3. Click Firewall Rules New New Firewall Rule.
  4. Create the first rule to bypass Inbound AND Outbound for TCP and UDP connections that are incoming to and outgoing from the vulnerability management provider.
    Tip
    Tip
    For settings not specified, you can leave them as the default.
    • Name: (suggested) <name of provider> Vulnerability Traffic - Incoming
    • Action: Bypass
    • Protocol: Any
    • Packet Source: IP List and then select the new IP list created above.
  5. Create a second rule:
    • Name: <name of provider> Vulnerability Traffic - Outgoing
    • Action: Bypass
    • Protocol: Any
    • Packet Source: IP List and then select the new IP list created above.

What to do next

Assign the new firewall rules to a policy to bypass vulnerability scans Parent topic

Identify which policies are already used by computers that will be scanned by the vulnerability management provider.
Edit the policies individually to assign the rules in the firewall module.

Procedure

  1. Click Policies on the main menu.
  2. Click Policies in the left pane.
  3. In the right pane, for each policy, double-click to open the policy details.
  4. In the pop-up, in the left pane, click Firewall.
  5. Under Assigned Firewall Rules, click Assign/Unassign.
  6. Ensure your view at the top-left shows All firewall rules.
  7. Use the search window to find the rules you created and select them.
  8. Click OK.

What to do next