How to whitelist the range of IP for incoming connection ?

Hello guys,
POS provider has required the vulnerability test. He requires us to whitelist some IP range for the incoming connections.
How may I do it on the T-15 WatchGuard firewall?

Comments

  • Add the IP addrs to the Blocked Sites Exceptions list.
    Remember to remove them once the PEN test is done.

    Of course, I always ask why it is a requirement to remove a security feature to do a PEN test.

  • Thank you Bruce,

    This is very good question why I have to whitelist them for the PEN test.

  • One reason is that the Firewall, if it is configured like mine, will block the IP address after the first failed attempt at a breach. This means that a test intrusion that might have been successful will fail simply because the Firewall blocked the IP address and not because the Firewall prevented that particular breach method.

    Adrian from Australia

  • edited November 2020

    @xxup said:
    One reason is that the Firewall, if it is configured like mine, will block the IP address after the first failed attempt at a breach. This means that a test intrusion that might have been successful will fail simply because the Firewall blocked the IP address and not because the Firewall prevented that particular breach method.

    "...will block the IP address after the first failed attempt at a breach. This means that a test intrusion that might have been successful...." Hmm, if the attempted breach failed on the first try, why do you say that it might have succeeded afterwards?

    Unblocking something to allow a PEN test to succeed is the equivalent of being asked to leave the doors and windows of one's home unlocked while someone attempts to break in, then having them tell you that your home is insecure after the test. I have asked PEN test companies, "If YOU cannot get through my firewall to do your test, what makes you think that a hacker can do it?" They never have been able to answer that question.

    Gregg Hill

  • By way of example. Say that the first PEN test was to do a DDOS attack.. The Firebox will block the source IP Address of the attacke.. The next PEN test might be for port 8080, which might have been left accidentally open on the Firebox.. The PEN test for 8080 will pass, but only because the FireBox is already blocking the source IP address. If the attacker (or PEN tester) had tried port 8080 first, they would have been successful in their attempt to break into the system. Make sense now?

    The PEN tester does not ask for all IP addresses to be 'Whitelisted - only the ones that they will use for the tests.. They come off the list after testing is finished..

    Adrian from Australia

  • edited November 2020

    Any PEN tester who initiates a DDOS should be fired immediately

  • It was a fictional example.. o:)

    Adrian from Australia

  • I hope so.

    Let's use a fast port scan as an example, instead.

Sign In to comment.