whitelist IP address for PCI Scan
Not sure if they are asking for a 1:1 nat to the server or something else. Can someone clarigy what needs to happen on a USG firewall to "whitelist":
In order to run the scan, we need you to grant access to the IP addresses listed below.
If you use security software such as a firewall in your organization, you may need to white-list the below addresses in order for the scan to run successfully. Otherwise, you may block access to the scan, meaning it will fail. This will result in you being unable to successfully report your compliance.
If you are unsure how to do this, consult the help section of your firewall or contact your internet service provider for assistance.
All Replies
-
First of all, you will need to unlearn the general meaning of "Whitelist" in a Zyxel/USG environment. In most Zyxel (USG) devices, "whitelist" refers to a list of e-mail addresses from which traffic is allowed.
In this IP address access scenario, your main focus will be Security Policy Rules.
Look up Security Policy in your Zyxel User Guide/Reference Manual and plan on how to create rules to allow traffic from the IP address subnets mentioned (64.39.96.0/20 & 139.87.112.0/0).
To deduce what kind of traffic to expect, since you are asked to allow a whole subnet range for 2 networks, not only a single address for each, it looks like the service scan in question is going to use dynamic addresses instead of static ones within the subnets, hence the full subnet description.
As a start, you will minimum need 2 security policies, one for each subnet. I have looked up the subnets using a geolocation service and found that 64.39.96.0 belongs to (AS27385) QUALYS, Inc. (qualys.com) and that 139.87.112.0 belongs to (AS6142) SUN-JAVA / Oracle Corporation (oracle.com).
The source will be WAN, source address will be 64.39.96.0/20 for rule 1, 139.87.112.0/0 for rule 2. You want to name the rules something relevant for easy identification (e.g. Qualys_scan / Oracle_scan).
Now, when it comes to destination, it depends on what the service scan expects and requires access to in your network. Initially, I would think that "Zywall" would be enough as a destination and that address & ports will be "any" for the scan to make a successful evaluation. Should there be any need at all for that service to access your LAN, they would have to document that need somehow.
So to sum up the situation; you need to focus on the keywords Security, Access, Policy, and Rules. Most of the configuration should be documented with examples in your User Guide or Reference Manual.
0 -
Yes, I was getting hung up on "white list". Thanks for sending me straight that makes a lot more sense
1
Master Member
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
