whitelist IP address for PCI Scan

zonkerpro Posts: 10
First Anniversary First Comment

Not sure if they are asking for a 1:1 nat to the server or something else. Can someone clarigy what needs to happen on a USG firewall to "whitelist":

In order to run the scan, we need you to grant access to the IP addresses listed below.

If you use security software such as a firewall in your organization, you may need to white-list the below addresses in order for the scan to run successfully. Otherwise, you may block access to the scan, meaning it will fail. This will result in you being unable to successfully report your compliance.

If you are unsure how to do this, consult the help section of your firewall or contact your internet service provider for assistance.

All Replies

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    First of all, you will need to unlearn the general meaning of "Whitelist" in a Zyxel/USG environment. In most Zyxel (USG) devices, "whitelist" refers to a list of e-mail addresses from which traffic is allowed.

    In this IP address access scenario, your main focus will be Security Policy Rules.

    Look up Security Policy in your Zyxel User Guide/Reference Manual and plan on how to create rules to allow traffic from the IP address subnets mentioned ( &

    To deduce what kind of traffic to expect, since you are asked to allow a whole subnet range for 2 networks, not only a single address for each, it looks like the service scan in question is going to use dynamic addresses instead of static ones within the subnets, hence the full subnet description.

    As a start, you will minimum need 2 security policies, one for each subnet. I have looked up the subnets using a geolocation service and found that belongs to (AS27385) QUALYS, Inc. (qualys.com) and that belongs to (AS6142) SUN-JAVA / Oracle Corporation (oracle.com).

    The source will be WAN, source address will be for rule 1, for rule 2. You want to name the rules something relevant for easy identification (e.g. Qualys_scan / Oracle_scan).

    Now, when it comes to destination, it depends on what the service scan expects and requires access to in your network. Initially, I would think that "Zywall" would be enough as a destination and that address & ports will be "any" for the scan to make a successful evaluation. Should there be any need at all for that service to access your LAN, they would have to document that need somehow.

    So to sum up the situation; you need to focus on the keywords Security, Access, Policy, and Rules. Most of the configuration should be documented with examples in your User Guide or Reference Manual.

  • zonkerpro
    zonkerpro Posts: 10
    First Anniversary First Comment

    Yes, I was getting hung up on "white list". Thanks for sending me straight that makes a lot more sense

Security Highlight