How to confirm PCI scan is blocked by firewall from the PCI Reports.
It is recommended by the PCI SSC council that an ASV scan must run without the interference of an IDS/IPS or an Firewall.
At the time of scan, using the QualysGuard service, there are more than one way to determine if the scan is not getting through.
- If using the Qualys VM service, after the scan look for open TCP ports and also the presence of QID 34011.
- If using the PCI service, then look into the open ports section of the scan
If a FW is dropping connections from our scanner range then you might also see "Host not live" messages.
Also have a look at this thread : QID 42432 - Possible Scan Interference
Thank you DJ. In Firewall which ports we should ask to whitelist? Is whitelisting 80,443 enough or all the ports we need to whitelist for Qualys Scanner IP addresses ?
PCI SSC says that the scan must run without the interference of a FW.... so you need to whitelist the Qualys range of scanners. About ports... you will need all ports to be allowed for Qualys to scan as PCI ASV scanning needs to happen on all ports and without authentication.
Thank you Deb
Retrieving data ...