Allow Qualys PCI Merchant ip's through the IPS for PCI compliance scanning

How do you allow a specific range of ip addresses to bypass the IPS scanning on a Firebox?

We have our credit card processing company needing a Qualys PCI Merchant scan to complete successfully. We are given a failing grade since the IPS is blocking their scan.

Need to whitelist the ip addresses here - https://pci.qualys.com/static/help/merchant/getting_started/check_scanner_ip_addresses.htm

Comments

  • Do what all the rest of folks do....turn off IPS during the scan ;-) I wish I was kidding.

    I did have that fight with them a year or two ago. It turned into "our security is so good you cant get past our security to test our security then, right?". That was the end of the discussion.

    Or, you simply add the IP's to the IPS white list.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JTrout
    In addition to what @TestingTester mentioned, I would also suggest adding their IPs to the blocked sites exceptions so that they don't get outright blocked when they attempt to port scan.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked_sites_create_exceptions_c.html

    -James Carson
    WatchGuard Customer Support

  • I did end up turning off the IPS this afternoon so we could get an accepted scan, but I'll try the whitelisting on the next one.

    I didn't realize I could put the IP addresses right into the exceptions list, the "Signature ID" tag threw me off.

    I'll add them to the blocked site exceptions too.

    Thanks for the help.

  • The key, remove them once you have your scan done. This is VERY easy and takes 10 seconds if you use System Manager and go to an older config (from just before your changes).

  • I'm not sure if you have a choice of vendors, but we use securitymetrics.com for our PCI compliance scans and they work without any adjustments.

Sign In to comment.