We need to scan hosts that are protected by a firewall. The scanner sits on a trusted segment with full access to the hosts through the firewall. We are concerned about the amount of traffic that this will produce. Does Qualys have any recommendations?
Executing a scan or map against a device shielded by a firewall is a common operation. Every day the scanning engine executes thousands of scans and maps in network topologies that protect their servers with firewalls without any issues. Problems can arise when the scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and it scans a target which is located on the other side of the firewall. Many modern firewalls are configured to track connections, maintain NAT and ARP tables and a scan operation against a large set of targets can overload these tables. The consequences of such overflows are varied and range from slowdown of the firewall functions to a complete crash.
We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible. If not, we recommend you perform your own assessment testing on your network to validate the impact to your firewall. The accuracy of your scan may also be impacted so you should compare expected results against the detailed results provided in your reports. It's possible this can be service impacting as the scan results might differ. Modifying the performance settings in the option profile will also assist in customizing traffic traveling through the firewall. Please contact Qualys technical support for further assistance on this issue.
Qualys Support KnowledgeBase