If you are using a vulnerability management provider such as Qualys or Nessus (for
PCI compliance, for example), you need to set up Workload Security to bypass or allow
this provider’s scan traffic through untouched:
- Create a new IP list from the vulnerability scan provider IP range or addresses
- Create firewall rules for incoming and outbound scan traffic
- Assign the new firewall rules to a policy to bypass vulnerability scans
After these firewall rules have been assigned to the new policy, Workload Security
ignores any traffic from the IPs you have added in your IP List.
Workload Security does not scan the vulnerability management provider traffic for
stateful issues or vulnerabilities. Instead, it is allowed through untouched.
Create a new IP list from the vulnerability scan provider IP range or
addresses 
Have handy the IP addresses that the vulnerability scan provider has given
you.
Procedure
- In the Workload Security console, go to Policies.
- In the left pane, expand .
- Click .
- Type a Name for the new IP List, for example "Qualys IP list".
- Paste the IP addresses that the vulnerability management provider has given you into the IP(s) field, one per line.
- Click OK.
Create firewall rules for incoming and outbound scan traffic
After creating the IP list, create two firewall rules: one for incoming and one
for outgoing traffic. Name them based on the following guidelines:
<name of provider> Vulnerability Traffic - Incoming<name of provider> Vulnerability Traffic - OutgoingProcedure
- In the Workload Security console, click Policies.
- In the left pane, expand Rules.
- Click .
- Create the first rule to bypass Inbound and Outbound for TCP and UDP
connections that are incoming to and outgoing from the vulnerability
management provider.For settings not specified, you can leave them as the default.
- Name: (suggested)
<name of provider> Vulnerability Traffic - Incoming - Action: Bypass
- Protocol: Any
- Packet Source: IP List and then select the new IP list you created.
- Name: (suggested)
- Create a second rule:
- Name:
<name of provider> Vulnerability Traffic - Outgoing - Action: Bypass
- Protocol: Any
- Packet Source: IP List and then select the new IP list you created.
- Name:
Assign new firewall rules to a policy to bypass vulnerability scans
Identify which policies are already used by computers that are scanned by the
vulnerability management provider.
Edit the policies individually to assign the rules in the firewall module:
Procedure
- Click Policies on the main menu.
- Click Policies in the left pane.
- In the right pane, for each policy, double-click to open the policy details.
- In the pop-up, in the left pane, click Firewall.
- Under Assigned Firewall Rules, click Assign/Unassign.
- Ensure your view at the top-left shows All firewall rules.
- Use the search window to find the rules you created and select them.
- Click OK.