We use the Qualys PCI scanners on our Cloudflare domains to scan for PCI vulnerabilities.
In no-proxy mode the scan completes without issues in under 1h.
However with Cloudflare proxy mode enabled, the scan takes 4 days - regardless of bandwidth I select.
I have contacted Cloudflare support who advise to implement the following which I have done:
- Firewall rule with action allow on the network ranges
- Firewall rule with action *bypass on all 7 security features
- IP Access rule with allow (I’ve had to break down the network ranges to
The scanner IPs are:
- 188.8.131.52/20 (184.108.40.206-220.127.116.11)
- 18.104.22.168/23 (22.214.171.124-126.96.36.199)
Unfortunately none of those have even reduced the time it takes for the scanners and support refuses to troubleshoot further.
Have I missed something or is it normal that the scans takes 4 days ?