I recently completed a perimeter security audit for a client who was using a WatchGuard Firewall. One of the default options is port scan detection which automatically blocks any IP addresses it detects as carrying out a port scan against it. One of the problems for penetration testers is that it does not have a whitelist so for a client it’s either on or off.
When you are performing infrastructure penetration testing its important to get reliable, comprehensive port scans. I found that the following Nmap options can be used to carry out a scan without your IP blacklisted or blocked:
# nmap -sS -P0 -vvvv -sV -T2 ip-address
# nmap -P0 -p1-20000 -vvvv -O -T Sneaky -sS ip-address
These options can also be used for other security appliances which feature port scan blocking functions including ISS Proventia, Fortigate, TippingPoint and Cisco ASA.