Whitelisting an ASV Scanner IP in WAF for PCI DSS Compliance

Organizations handling cardholder data must comply with PCI DSS (Payment Card Industry Data Security Standard), which mandates regular vulnerability scans (PCI DSS Requirement 11.3.2). These scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) and must not be blocked or altered by security controls such as a Web Application Firewall (WAF).

A misconfigured WAF can prevent an ASV scanner from accessing the Cardholder Data Environment (CDE) and the server calling the payment page, leading to failed scans and non-compliance.

From the ASV Program Guide v4.0 r2:

“The ASV scan solution must be allowed to perform scanning without interference from active protection systems... Examples of active protection systems: ... Web application firewalls (WAF) that block all traffic from an IP address based on the number of events exceeding a defined threshold”.

How to Whitelist nabu's ASV Scanner IP in a WAF 

nabu's scanner IP range is 38.123.140.0/25. In order to whitelist this range in your WAF:

1. Log Into Your WAF Management Console

Access your WAF provider’s dashboard (AWS WAF, Azure WAF, Cloudflare, ModSecurity, Imperva, etc.).

2. Create a Whitelist Rule

Most WAFs allow custom rules to explicitly allow traffic from specific IP addresses.

• Add the 38.123.140.0/25 to an Allow List or IP Set.

• Bypass or disable security rules for traffic from these IPs.

3. Apply the Rule to the CDE and Payment Server

Make sure the whitelist rule applies to:

✔️ The Cardholder Data Environment (CDE)

✔️ The payment page and any servers communicating with it (e.g., API gateways, backend services)

✔️The page that includes the iFrame, redirect, API or other solution supplied by your Payment Service Provider.

4. Test and Validate

• Ask nabu to run a test scan.

• Check WAF logs to confirm that the scan requests are allowed and not blocked or altered. In particular, check that requests from nabu's scanner IP were not blocked.

Whitelisting ASV Scanner IPs in Common WAFs

AWS WAF

1. Open the AWS WAF console.

2. Navigate to Web ACLs and select the relevant ACL.

3. Click Rules → Add Rule.

4. Choose IP Set and enter nabu scanner’s IP addresses.

5. Configure the rule to Allow traffic from these IPs.

6. Save and apply changes.

Azure WAF (Application Gateway)

1. Open Azure Portal.

2. Go to Application Gateway → WAF Policy.

3. Under Managed Rules, create a Custom Rule.

4. Set the condition:

   If source IP equals nabu's scanner IP.

   Action: Allow

5. Apply and test.

ModSecurity (Apache/Nginx WAF)

1. Edit the ModSecurity rule file:

   SecRule REMOTE_ADDR "@ipMatch [nabu's scanner IP]" "id:1001,phase:1,allow"

2. Restart the server:

systemctl restart apache2  # or nginx

Imperva WAF

1. Open Imperva Console.

2. Navigate to Security Settings → IP Whitelist.

3. Add nabu's scanner IP addresses and confirm.

   
   

Cloudflare WAF

1. Log into Cloudflare and select your domain.

2. Navigate to Security → WAF.

3. Click Create Rule:

   Condition: IP Address → equals → [nabu's scanner IP]

   Action: Bypass (skip WAF rules).

4. Save the rule.

Alternative: IP Access Rules

1. Navigate to Security → Tools.

2. Add the nabu's scanner IP under IP Access Rules.

3. Set Allow.

⚠ Important: If Cloudflare is proxying traffic, make sure it doesn’t cache scan results, as this can interfere with the ASV’s evaluation of vulnerabilities.