I need some help with vlan trunking. Doesn't seem like it is used much as a simple search for vlan trunking in this community yielded zero results. I have multiple appliances on our internal network configured with static IP's and in VLAN trunking mode. One appliance has been assigned a vlan configuration to reach our DMZ network protected by a firewall. When I run a VM scan, I get the same results with the scanner configured to scan the DMZ vlan as I do with a scanner not configured with a vlan to run a dmz scan (dmz vlan has not been configured on the appliance). The result is the firewall is blocking all traffic except ports 80 and 443. I thought the point of putting the scanner in vlan trunking mode and configuring it to scan a certain vlan (in my case behind a firewall) is that the appliance would be "seen" as a device on that vlan network (in my case the dmz) and not have the traffic filtered if there were a firewall present (in my case there is a firewall)??
I don't like the idea of opening a hole in the firewall to allow any traffic to and from our scanners IP address. Please advise.
You are correct. When the VLAN feature is enabled your scanner should act as if it's sitting in the same subnet as the hosts your scanning.
A couple of things we need to make sure of are:
1. The scanner is on Version 2.1 or higher.
2. The VLAN option has been turned on for your account.
3. Your scanner must be using a Statis IP (you stated this was done)
If the above are all true, I have a couple of questions:
1. you said the DMZ VLAN was not configured on the appliance. Does this mean it was configured in the QualysGuard Web Portal?
2. You said that all the appliances were configured for VLAN Trunking, but are the ports they are attached too on the switch set to Trunking mode?
3. Does the appliance your scanning with have a Trunked path to the VLAN where the hosts are?
I would not suggest opening a hole in the firewall as this should not be necessary.
Something I forgot to mention is that you can look for QID 45006 (Traceroute) in your report. If you show a Tracerounte your not using the VLAN, if there's no Traceroute that means you should be setup correctly and local to the segment your scanning.
Thank you for your responses. It seems the network admin thought there was a path to the DMZ hosts but there was not. It was fixed from a network change standpoint. It is working now. Thanks for your help.