I set:
IGNORE_ALLOW = 0 and add their IP(s) to csf.ignore
But they are being blocked. Explanation from them is so:
Desc:
And remediation:During the course of the scan, TrustKeeper detected an unidentified protocol on common web ports. In some cases, this may be caused by network security devices actively blocking the vulnerability scan, which it may perceive as a threat. In other cases, an intermediate network device, or the host itself, may be unable to cope with the vulnerability scan.
It's often very difficult to tell the difference between these two scenarios, but in either case, this behavior significantly impacts the ability of this vulnerability scanning service to detect vulnerabilities on the remote host, resulting in an inconclusive vulnerability assessment. The PCI ASV Program Guide 1.0 requires that PCI ASV scan customers have a scan performed on all in-scope hosts without interference from IDS/IPS; if such interference is detected, then the ASV is required to fail the scan. Examples of products and devices that provide active measures that may interfere with the scan are firewall and intrusion detection systems (IDS) with active countermeasures, intrusion prevention systems (IPS), web-application firewalls (WAF), and distributed-denial of service (DDoS) mitigation products.
Am I missing something? Because if I add their ips to allow list. Lots of issue will come out like open ports and so on.In order to achieve a conclusive vulnerability assessment of the remote host, the products and devices responsible for interfering with this scan may need to be temporarily configured to permit scanning without interference. This normally takes the form of adding the IP addresses of this scanning service to the "whitelist" of the product or device. Please ensure the following network blocks have full, unobstructed, access in order to more accurately perform a vulnerability scan: 204.13.201.0/24, 64.37.231.0/24.
Also, if the hosts on this IP address are not involved in the transmission and storage of cardholder data (in other words, not in scope for PCI), then this IP address does not need to be scanned. If this is the case, please remove this IP address from your scan profile and initiate a new scan.