Can any one suggest me whther can i scan firewall using external Qualys Guard scanner.
This would work the same way as a public IP, and Qualys should be able to see the type of device and scan for any publically accessible vulnerabilities.
From my perspective, it shouldn't work - not because of any deficiency of QualysGuard, but if your firewall is configured correctly (according to my way of doing things), the firewall should simply not respond. External firewall interfaces should not respond to traffic from the internet. Using Qualys to verify that the firewall remains silent is a good thing, and for that purpose, scanning from the external scanners would be useful.
If you do plan on scanning a firewall, there is a setting in the option profile that allows you to lower the scan intensity. This setting was added to avoid filling up firewall state tables. I would recommend scanning with a lower settings (low or minimum) if you do launch a scan against the firewall.
You're right. I just meant if someone wanted to scan a FW, they would do it the same way as another IP device - which is how I read the Q - 'can' I scan one, as opposed to whether it's useful. Although, knowing what I have seen at some customers, I'd rather they did it just to be sure the FW was configured correctly
PS There is the fact that you could add a specific rule to allow the Qualys external IPs to reach the device, coupled with the reduced intensity mentioned to be able to get a little bit more out of it.
Retrieving data ...