We have Qualys scanning / monitoring a range of IPs that are NATs on our PAN. The appropriate Qualys IP ranges are white-listed. The problem we are encountering is that the PAN is designed to thwart fingering va port scanning. One such countermeasure is that the PAN reports ALL (or many random) ports being open on any particular host being scanned. This behavior, though great for it's intended purpose, leaves me with erroneous information.
Has anyone encountered this? If so, are there any scanning configurations you have found to work with PANs well?