Table of contents

Bypass vulnerability management scan traffic in Workload Security

If you are using a vulnerability management provider such as Qualys or Nessus (for PCI compliance, for example), you need to set up Workload Security to bypass or allow this provider’s scan traffic through untouched:

After these firewall rules have been assigned to the new policy, Workload Security ignores any traffic from the IPs you have added in your IP List.

Workload Security does not scan the vulnerability management provider traffic for stateful issues or vulnerabilities. Instead, it is allowed through untouched.

Create a new IP list from the vulnerability scan provider IP range or addresses

Have handy the IP addresses that the vulnerability scan provider has given you.

  1. In the Workload Security console, go to Policies.
  2. In the left pane, expand Lists > IP Lists.
  3. Click New > New IP List.
  4. Type a Name for the new IP List, for example "Qualys IP list".
  5. Paste the IP addresses that the vulnerability management provider has given you into the IP(s) box, one per line.
  6. Click OK.

Create firewall rules for incoming and outbound scan traffic

After you’ve created the IP list, you need to create two firewall rules: one for incoming and one for outgoing traffic. Name them based on the following guidelines:

<name of provider> Vulnerability Traffic - Incoming

<name of provider> Vulnerability Traffic - Outgoing

  1. In the Workload Security console, click Policies.
  2. In the left pane, expand Rules.
  3. Click Firewall Rules > New > New Firewall Rule.
  4. Create the first rule to bypass Inbound and Outbound for TCP and UDP connections that are incoming to and outgoing from the vulnerability management provider.

    For settings not specified, you can leave them as the default.

    • Name: (suggested) <name of provider> Vulnerability Traffic - Incoming
    • Action: Bypass
    • Protocol: Any
    • Packet Source: IP List and then select the new IP list you created.
    • Create a second rule:
    • Name: <name of provider> Vulnerability Traffic - Outgoing
    • Action: Bypass
    • Protocol: Any
    • Packet Source: IP List and then select the new IP list you created.

Assign new firewall rules to a policy to bypass vulnerability scans

Identify which policies are already used by computers that are scanned by the vulnerability management provider.

Edit the policies individually to assign the rules in the firewall module:

  1. Click Policies on the main menu.
  2. Click Policies in the left pane.
  3. In the right pane, for each policy, double-click to open the policy details.
  4. In the pop-up, in the left pane, click Firewall.
  5. Under Assigned Firewall Rules, click Assign/Unassign.
  6. Ensure your view at the top-left shows All firewall rules.
  7. Use the search window to find the rules you created and select them.
  8. Click OK.