Sample WatchGuard Option Profile — Additional Options
January 28, 2014There are additional options that affect how the service performs host discovery for maps and scans and how the service interacts with your Firewall, IPS / IDS configurations. These options appear on the Additional tab when you create or edit an option profile.
The initial settings are best practice in most cases. These settings should only be customized under special circumstances. For example, changing the Host Discovery setting may result in live hosts going undetected, and thus not being scanned for vulnerabilities.
To customize additional options, create a new option profile or edit an existing profile. Then apply the customized profile to on-demand or scheduled map and scan tasks.
Option | Description |
Host Discovery | Specify which probes are sent and which ports are scanned during host discovery. This option affects both map and scan tasks. The service pings every target host using ICMP, TCP, and UDP probes and then analyzes the packets sent in response to determine which hosts are “alive”.Note that by changing the default settings, the service may not detect all live hosts, and hosts that go undetected cannot be scanned for vulnerabilities. These settings should only be customized under special circumstances. For example, to add ports that are not included in the Standard port list, remove probes that will trigger your firewall/IDS, or only discover live hosts that respond to an ICMP ping.Initial Settings: TCP & UDP – Standard Scan, ICMP – Enabled |
Blocked Resources | Specify ports that are blocked and IP addresses that are protected by your firewall/IDS. This option only affects scan tasks. If the scanning process triggers your IDS, then it will likely be firewalled and we won’t be able to continue our search for vulnerabilities on your network. Therefore, we need to know which IPs you have protected and which ports are blocked. This will help us prevent triggering your IDS.Optionally, if you don’t want a host to be scanned at all, then add the host’s IP address to the excluded hosts list. No scanning traffic, including ICMP, TCP and UDP probes, will be sent to excluded hosts. Configure the list of excluded hosts on the Excluded Hosts Setup page (Setup—>Excluded Hosts).Another method for allowing our scanning engine to probe your network without triggering your firewall/IDS is to add our scanner IP addresses to your firewall/IDS configuration. This list of friendly IPs is commonly known as a white list or exception list. For example, if you are using WatchGuard, add our scanner IP addresses to the “Blocked Sites Exception” list. This list is configured in the System Configuration for the WatchGuard Firebox Vclass series, and in the Policy Manager for the WatchGuard Firebox System series. Refer to your firewall/IDS documentation for specific details on how to configure an exceptions list. You can view a current list of IP addresses for the service’s external scanners on the About page (Help—>About).Note that the “WatchGuard default blocked ports” option is only applicable to the WatchGuard Firebox System series. Setting this option is not necessary if you added our scanner IP addresses to the WatchGuard exception list.Initial Setting: Disabled |
Ignore RST packets | Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP Reset packets using the host’s IP address.When enabled, all TCP Reset packets are ignored for scan tasks and TCP Reset packets generated by one or more filtering devices are ignored for map tasks. In other words, hosts will not be detected as being “alive” if the only responses from them are TCP Reset packets that seem to have originated from a filtering device. Initial Setting: Disabled |
Ignore firewall-generated SYN-ACK packets | Some filtering devices, such as firewalls, may cause a host to appear “alive” when it isn’t by sending TCP SYN-ACK packets using the host’s IP address.When enabled, the service attempts to determine if TCP SYN-ACK packets are generated by a filtering device and ignores all SYN-ACK packets that appear to originate from such devices.Initial Setting: Disabled |
Do not send ACK or SYN-ACK packets during host discovery | Some firewalls are configured to log an event when out of state TCP packets are received. Out of state TCP packets are not SYN packets and do not belong to an existing TCP session. If your firewall is configured in this manner and you do not want such events logged, then you can enable this option to suppress the service from sending out of state ACK and SYN-ACK packets during host discovery for map and scan tasks. If you enable this option and you also enable the “Perform 3-way handshake” option on the Scan tab, then the “Perform 3-way handshake” option takes precedence and this option is ignored.Initial Setting: Disabled |