Whitelist PCI ASV Scan

I am not quite a fan of those Scanners. They are not showing "the real picture". 

Can you get more information about this alert? 

Maybe some other technique in XG is blocking this scan (DOS protection for example). 

Maybe your client blocks something? Are you running any Endpoint protection software on it? Those Scanner performs "DDOS" attacks / port scanning. So maybe your Endpoint or your Network system (switch etc.) blocks something. 

It is pretty basic, (not a fan of the scanners today either lol)  

For the most part it is a webserver located in the DMZ, I did create a WAF rule for it using best practices to better protect the server.  From what I can tell it is all working, I have tried a few pen tests manually and the protection is there.

What is bothering me is I think this may have to do with how the IPS is responding on the XG.  Is there a way to confirm if it is set to drop vs deny or reject?  Or am I miss understanding that aspect?  

All and all any suggestions or thoughts are appreciated.

So I spoke with Tenable, essentially they became more accredited or gained more certification about 3 weeks ago.  So now when you run a ASV scan you will see a few more things than you did before, basically they are raising the bar which is a good thing.  As for scanning PCI requires that you whitelist scanning vendors which from what I can tell Tenable was unable to notice the difference until recently, hence the flags.  It also looks like they have added compensating controls/out of scope items where you can justify them after the scan is completed per vulnerability.  For example we have FTP for non PCI reasons, the scan flags this and I simply have to acknowledge that this is not used for PCI data.  The scan can also flag vulnerabilities that the XG would block if the scanner was not whitelisted, in this case you would write a compensating control pointing out the XG would handle said vulnerability. 

However I am not sure how one would whitelist this to basically allow the scanners to scan our external IP's 

Would I make a rule like-

Source: WAN

Devices: Tenable IP List

Services: ANY

Destination: WAN

Devices : ANY

Services: ANY

???????

I am a little confused since the IP's I need to scan are on the WAN and the source is also the coming from the WAN.

It would seem like this should be a Business application rule because the request is coming from the Internet and pointing towards a hosted server in the DMZ. In thinking through this because we disabled the reflexive rules for this policy, the response from the server to the scan would be sent from the DMZ zone out to the WAN zone and therefore a user network rule would then establish if the scan result was allowed based on the source networks and devices created as exceptions in the rule. Essentially we are whitelisting those networks as approved to the exclusion of all others. 

At least this is how I think through the process but perhaps someone can correct my logic so I never make that mistake again.... There just doesn't seem to be a go-to resource for these type of questions but I am certain there is someone out there in the community who could tell us how to configure an exclusion for an ASV scan on  the XG FW. IN case anyone asks, SFOS 17.5.5 MR-5...

I think instead of adding the whitelisted IP's to a new rule you may need to add them to the exception list within the original WAF rule for the server in question, I may be wrong about this but it would make sense in terms of rule placement.

I think instead of adding the whitelisted IP's to a new rule you may need to add them to the exception list within the original WAF rule for the server in question, I may be wrong about this but it would make sense in terms of rule placement.