we have requested to whitelist the Qualys IP range in firewall on client end, but client is asking for which ports it should be whitelisted?
Is it required to open all the standard TCP/UDP ports open?
Tushar, this will depend on the type of scan that you intend to launch.
Head over to Scans > Option Profiles > New Option Profile > Scan.
You'll see the different types of scans such as Standard and Light Scan. The required port numbers are listed.
Hi, when you are going to perform a scan from the outside in, it will probably be an authenticated one. So you will go in with an AD account on the standard ports. More information can be found here:
Active Directory and Active Directory Domain Services Port Requirements
First you need to know if your doing an internal scan or external scan.
If your scanning internally then you could allow the firewall to allow the IP of the scanners to hit all ports. I would pay particular attention to the logging the firewall is doing on internal appliances as the logging of scanners can quickly overwhelm most firewalls and or other issues that I will not go into.
You could install the Qualys Agent to do the devices; then you don't scan them at all.
If your doing a scan from an external perspective then you might want the scan to do all ports while the firewall does not have a special rule. This would give you the ability to some degree a ability to audit the firewall. If the scanner (External) is scanning TCP/UDP 65535 and the firewall team says we have blocked all but X Y and Z ports then this should be backup by the scan.
So it really depends on the use case and the issue your trying to solve. If your looking to do an external scan of a client then the appropriate range for the Qualys External Scanners is 220.127.116.11/20.
Let me know if I can help, David
Retrieving data ...