i’ve got a Problem, and i’ve already done some reasearch on it. Thing is, if i try to Scan a subnet with the Default Alive-test (or any other given else than 'Consider Alive), the test will be canceled right away ( without an error code) and the following report will show nothing. I guess it’s because the Scan fills up the session table of my firewall which leads to no response from any server. Has anyone found a workaround for this Problem? I know i can place a sensor in the subnet, but i’ve got like a ton of them…
The GreenboneScanner has a “Whitecard” in the Firewall, so it’s technically allowed to do as it pleases.
I’m pretty new to GSM, be kind if the question is stupid
Hi, thanks for the response.
I’ve found the Entry you posted already, and i opend this one, because the discussion doesn’t get me anywhere really. Except there still is no other solution to this Problem instead of “Consider Alive” and “Ton of Sensors”?
Thought there might have been some progress on this Topic, but ok.
Scanning trough firewalls are always the 2nd best option. If you allow ICMP trough the firewall, a ICMP Ping Alive Test should work fine. All other TCP ACK are more or less useless in stateful filewall scenarios.
I’ve tried to give it an explicit Firewall Rule for ICMP Pings. Thing is, i now can succesfully ping my target hosts, from the Greenbone Shell. As soon as i switch to the WebInterface and try to start a scan, i get the same scenario as before, the GSM cannot reach the target, so the reports are empty.
Is there something special about the Consider-Alive Pings from the Web-Gui? There has to be because it works just fine from the shell.
Thanks in advance and thanks @cfi for correcting my post, i’ll pay attention next time.
@BotDW The problem I found was the opposite: I don’t whitelist the scanner, because that would show that all internal hosts are up regardless of what the firewall permits through and so all hosts get a full scan which mostly fails, taking a long time to complete. That was not much different to “consider alive”. Initially TCP-SYN checks did the same, but I found that my zone protection settings on the firewall were independent of the policy rules so all attempts were being proxied by the firewall. It started to behave correctly when I excluded the scanner from the zone protection so the SYNs were forwarded to the actual hosts. TCP-ACK was no good because that was immediately dropped by the firewall regardless of rules.
Of course these settings are firewall depedent so may be different for you.
I have the same problem here. We have a Firewall in place but the FW is just necessary to establish a VPN connection between two sites (The FW is nearly open). Pings are allowed and from the Greenbone VM I can successfully ping clients on the other site. For a reason I do not understand I can’t perform an ICMP Ping live scan. We even checked the firewall logs and the ping from the Greenbone device is send and a feedback is also received. The Greenbone consideres the host is dead. If I scan with “consider alive” I am getting normal scan results.
Has anybody an idea what could be wrong or have I overseen something? I also checked the Greenbone logs but they offer no further information.
I did change the Alive Test to ICMP.
I will check with various configurations, to see if some Active Defense is blocking it. Thanks!
@djr Thanks for your comment! I will asap try to do as you said. Of course within the framework of the conditions of my firewall. But it sound like a good Reason for it not to work. I will give you an update asap!
@Marc001 Yeah same for me, i can see the ICMP Ping in my Live-Log, but i do not see a response. I will check the local Firewall settings again, but i think i already did that. Keep me Updated if you find a solution.