HackerGuardian Qualys PCI scanners takes 4 days

tom.murphy · September 23, 2022, 2:39pm

Hi,

We use the Qualys PCI scanners on our Cloudflare domains to scan for PCI vulnerabilities.

In no-proxy mode the scan completes without issues in under 1h.

However with Cloudflare proxy mode enabled, the scan takes 4 days - regardless of bandwidth I select.

I have contacted Cloudflare support who advise to implement the following which I have done:

Firewall rule with action allow on the network ranges
Firewall rule with action *bypass on all 7 security features
IP Access rule with allow (I’ve had to break down the network ranges to /24 subnets)

The scanner IPs are:

64.39.96.0/20 (64.39.96.1-64.39.111.254)
139.87.112.0/23 (139.87.112.1-139.87.113.254)

Unfortunately none of those have even reduced the time it takes for the scanners and support refuses to troubleshoot further.

Have I missed something or is it normal that the scans takes 4 days ?

Thanks

cscharff · September 23, 2022, 2:43pm

I have no idea why Qualys support doesn’t want to troubleshoot further with you, but it’s not really something the community here could resolve for a 3rd party tool.

tom.murphy · September 23, 2022, 5:54pm

Sorry I meant Cloudflare support.

I creating this thread to check whether I missed anything else I need to allow/bypass.

cscharff · September 23, 2022, 7:48pm

There’s nothing Cloudflare can do that would make a scanning tool take 4 days to complete to my knowledge

It’s much more likely the tool has built in rate limiting to prevent kicking of Cloudflare security blocks or %other reasons % that are determined by the vendor who built the tool.