HackerGuardian Qualys PCI scanners takes 4 days


We use the Qualys PCI scanners on our Cloudflare domains to scan for PCI vulnerabilities.

In no-proxy mode the scan completes without issues in under 1h.

However with Cloudflare proxy mode enabled, the scan takes 4 days - regardless of bandwidth I select.

I have contacted Cloudflare support who advise to implement the following which I have done:

  • Firewall rule with action allow on the network ranges
  • Firewall rule with action *bypass on all 7 security features
  • IP Access rule with allow (I’ve had to break down the network ranges to /24 subnets)

The scanner IPs are:

  • (
  • (

Unfortunately none of those have even reduced the time it takes for the scanners and support refuses to troubleshoot further.

Have I missed something or is it normal that the scans takes 4 days ?


I have no idea why Qualys support doesn’t want to troubleshoot further with you, but it’s not really something the community here could resolve for a 3rd party tool.

Sorry I meant Cloudflare support.

I creating this thread to check whether I missed anything else I need to allow/bypass.

There’s nothing Cloudflare can do that would make a scanning tool take 4 days to complete to my knowledge

It’s much more likely the tool has built in rate limiting to prevent kicking of Cloudflare security blocks or %other reasons % that are determined by the vendor who built the tool.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.