Scanning and Firewalls

Executing a scan or map against a device shielded by a firewall is a common operation. Every day the scanning engine executes thousands of scans and maps in network topologies that protect their servers with firewalls without any issues. Problems can arise when the scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. Many modern firewalls are configured to track connections, maintain NAT and ARP tables and a scan operation against a large set of targets can overload these tables. The consequences of such overflows are varied and range from slowdown of the firewall functions to a complete crash.

Avoid scanning through a firewall from the inside out. We recommend placing scanner appliances in your network topology in a way that scanning and mapping through a firewall from the inside out is avoided if possible. If not, we recommend you perform your own assessment testing on your network to validate the impact to your firewall. The accuracy of your scan may also be impacted so you should compare expected results against the detailed results provided in your reports. It's possible this can be service impacting as the scan results might differ.