Problem with Alive-Tests through a Firewall

Hello Community,
i’ve got a Problem, and i’ve already done some reasearch on it. Thing is, if i try to Scan a subnet with the Default Alive-test (or any other given else than 'Consider Alive), the test will be canceled right away ( without an error code) and the following report will show nothing. I guess it’s because the Scan fills up the session table of my firewall which leads to no response from any server. Has anyone found a workaround for this Problem? I know i can place a sensor in the subnet, but i’ve got like a ton of them…
The GreenboneScanner has a “Whitecard” in the Firewall, so it’s technically allowed to do as it pleases.

I’m pretty new to GSM, be kind if the question is stupid :wink:
_BotDW

Hi, please search for a topic before opening a new one. Here is everything already discussed:

1 Like

Hi, thanks for the response.
I’ve found the Entry you posted already, and i opend this one, because the discussion doesn’t get me anywhere really. Except there still is no other solution to this Problem instead of “Consider Alive” and “Ton of Sensors”?

Thought there might have been some progress on this Topic, but ok.

Thanks anyway.

Scanning trough firewalls are always the 2nd best option. If you allow ICMP trough the firewall, a ICMP Ping Alive Test should work fine. All other TCP ACK are more or less useless in stateful filewall scenarios.

3 Likes

As this is not a question about a single NASL script but more about environmental/network factors like a firewall i have moved this topic into a better fitting category.

Thanks for the reply.

I’ve tried to give it an explicit Firewall Rule for ICMP Pings. Thing is, i now can succesfully ping my target hosts, from the Greenbone Shell. As soon as i switch to the WebInterface and try to start a scan, i get the same scenario as before, the GSM cannot reach the target, so the reports are empty.

Is there something special about the Consider-Alive Pings from the Web-Gui? There has to be because it works just fine from the shell.

Thanks in advance and thanks @cfi for correcting my post, i’ll pay attention next time.

Did you changed the “Alive Test” to ICMP ?
If not you need to do so.

Ensure that your firewalls has no active defense, like blocking the scanner due to a portscan, etc …

@BotDW The problem I found was the opposite: I don’t whitelist the scanner, because that would show that all internal hosts are up regardless of what the firewall permits through and so all hosts get a full scan which mostly fails, taking a long time to complete. That was not much different to “consider alive”. Initially TCP-SYN checks did the same, but I found that my zone protection settings on the firewall were independent of the policy rules so all attempts were being proxied by the firewall. It started to behave correctly when I excluded the scanner from the zone protection so the SYNs were forwarded to the actual hosts. TCP-ACK was no good because that was immediately dropped by the firewall regardless of rules.

Of course these settings are firewall depedent so may be different for you.

Hello,
I have the same problem here. We have a Firewall in place but the FW is just necessary to establish a VPN connection between two sites (The FW is nearly open). Pings are allowed and from the Greenbone VM I can successfully ping clients on the other site. For a reason I do not understand I can’t perform an ICMP Ping live scan. We even checked the firewall logs and the ping from the Greenbone device is send and a feedback is also received. The Greenbone consideres the host is dead. If I scan with “consider alive” I am getting normal scan results.
Has anybody an idea what could be wrong or have I overseen something? I also checked the Greenbone logs but they offer no further information.

Have a look at Hint: Hosts are not scanned / not shown as "Alive" for some background information and how to enable logging to see the reason why a host is considered as “dead”.

Also keep in mind that GVM is using nmap for the alive test by default and some firewalls might also block the requests (based on some signatures) of nmap.

2 Likes

Hey, sorry took me a bit because of Work reasons.

I did change the Alive Test to ICMP.
I will check with various configurations, to see if some Active Defense is blocking it. Thanks!

@djr Thanks for your comment! I will asap try to do as you said. Of course within the framework of the conditions of my firewall. But it sound like a good Reason for it not to work. I will give you an update asap!

@Marc001 Yeah same for me, i can see the ICMP Ping in my Live-Log, but i do not see a response. I will check the local Firewall settings again, but i think i already did that. Keep me Updated if you find a solution.

@cfi Thanks again, will take a good look into it.

1 Like