Hi,
We use the Qualys PCI scanners on our Cloudflare domains to scan for PCI vulnerabilities.
In no-proxy mode the scan completes without issues in under 1h.
However with Cloudflare proxy mode enabled, the scan takes 4 days - regardless of bandwidth I select.
I have contacted Cloudflare support who advise to implement the following which I have done:
- Firewall rule with action allow on the network ranges
- Firewall rule with action *bypass on all 7 security features
- IP Access rule with allow (I’ve had to break down the network ranges to
/24
subnets)
The scanner IPs are:
- 64.39.96.0/20 (64.39.96.1-64.39.111.254)
- 139.87.112.0/23 (139.87.112.1-139.87.113.254)
Unfortunately none of those have even reduced the time it takes for the scanners and support refuses to troubleshoot further.
Have I missed something or is it normal that the scans takes 4 days ?
Thanks