Bypass vulnerability management scan traffic in Deep Security

If you are using a vulnerability management provider such as Qualys or Nessus (for PCI compliance, for example), you need to set up Deep Security to bypass or allow this provider’s scan traffic through untouched.

After these firewall rules have been assigned to the new policy, the Deep Security Manager will ignore ANY traffic from the IPs you have added in your IP List.

Deep Security will not scan the vulnerability management provider traffic for stateful issues or vulnerabilities - it will be allowed through untouched.

Create a new IP list from the vulnerability scan provider IP range or addresses

Have handy the IP addresses that the vulnerability scan provider has given you.

  1. In the Deep Security Manager, go to Policies.
  2. In the left pane, expand Lists > IP Lists.
  3. Click New > New IP List.
  4. Type a Name for the new IP List, for example "Qualys IP list".
  5. Paste the IP addresses that the vulnerability management provider has given you into the IP(s) box, one per line.
  6. Click OK.

Create firewall rules for incoming and outbound scan traffic

After you’ve created the IP list, you need to create two firewall rules: one for incoming and one for outgoing traffic.

Name them as suggested, below:
<name of provider> Vulnerability Traffic - Incoming

<name of provider> Vulnerability Traffic - Outgoing

  1. In the main menu, click Policies.
  2. In the left pane, expand Rules.
  3. Click Firewall Rules > New > New Firewall Rule.
  4. Create the first rule to bypass Inbound AND Outbound for TCP and UDP connections that are incoming to and outgoing from vulnerability management provider.

    Tip: For settings not specified, you can leave them as the default.

    Name: (suggested) <name of provider> Vulnerability Traffic - Incoming

    Action: Bypass

    Protocol: Any

    Packet Source: IP List and then select the new IP list created above.
  5. Create a second rule:

    Name: <name of provider> Vulnerability Traffic - Outgoing

    Action: Bypass

    Protocol: Any

    Packet Destination: IP List and then select the new IP list created above.

For firewall rules to work for a computer, the firewall Configuration must be set to "On" or "Inherited (On)" (Computers > Firewall > General). For firewall rules to work through a policy, the Firewall State must be set to "On" (Policies > Firewall > General).

Assign the new firewall rules to a policy to bypass vulnerability scans

Identify which policies are already used by computers that will be scanned by the vulnerability management provider.

Edit the policies individually to assign the rules in the firewall module.

  1. Click Policies on the main menu.
  2. Click Policies in the left pane.
  3. In the right pane, for each policy, double-click to open the policy details.
  4. In the pop-up, in the left pane, click Firewall.
  5. Under Assigned Firewall Rules, click Assign/Unassign.
  6. Ensure your view at the top-left shows All firewall rules in the .
  7. Use the search window to find the rules you created and select them.
  8. Click OK.