Customers that utilize a Content Delivery Network (CDN) based Web Application Firewall (WAF) may experience a degradation of Web Application Scanning accuracy when Qualys IP ranges are not white-listed.
Web application firewalls such as Cloudfare, Akamai, GigaSecure, Incapsula, etc can inadvertently impact a vulnerability assessment of a web application by altering responses or blocking scanners completely. While this may be useful against an adversary, it has the potential to tamper with the results of a Qualys WAS module assessment of your application and provide inaccurate results.
Some WAFs create signatures that can be detected by the Qualys WAS module. This will be reported under the Information Gathered section of the scan report with QID 150097:
QID 150097: The scanner received an HTTP response from the target web site that contains a message indicating the scan has been blocked. This often occurs due to an intermediate security device such as a web application firewall (WAF), intrusion detection system (IDS), or intrusion prevention system (IPS). If the scanner's IP or traffic has been blocked, then the results of the scan will be empty or incomplete because the web site could not be successfully crawled and tested.
For example, Cloudfare (a CDN-based WAF) will respond with the generic error code 520 when it experiences a large frequency of HTTP requests attempting to reach a web application. Because all web application scanners utilize a large number of HTTP requests to assess vulnerabilities, Cloudfare may detect a unexpected response from a server and respond with the 520 error to the web application scanning module. This can potentially trigger a false positive Blind SQL Injection vulnerability (QID 150012) because the scanner sees a difference in the response for its true/false payloads. In other instances, a 403 response, indicating a source IP has been blocked, may be encountered. If the Qualys WAS module is the source of the blocked IP, it will no longer be able to perform its assessment of the target web application.
Unfortunately not all WAFs can be identified by HTTP responses, and QID 150097 may not be present even when a WAF is in use. In these instances, scans may still report false positives, false negatives, or be blocked completely.
The good news is that in either event, the WAF is working as it should be to protect web applications against potential adversaries. The bad news is that the WAF only hides potential vulnerabilities from the Qualys WAS module - it does not remediate them and does not guarantee an adversary will not find a way to circumnavigate the WAF to exploit any potential vulnerability.
The only way to ensure you are getting accurate scan results is to white-list the Qualys IP range in your CDN-based WAF.
For the most up-to-date Qualys IP range, log into Qualys and navigate to Help > About. In the pop up window, there is a section titled Qualys External Scanners. Under this section there is a list of IP4 and IP6 IPs for the Security Operations Center (SOC). Add these ranges to your WAF instance and the Qualys WAS module will be able to scan your target web applications without interference.