Skip to main content

How to configure an allowlist and verify scan targets

This section explains how to add IP addresses to an allowlist and how to troubleshoot errors related to scan targets.

How do I configure an allowlist for the Crashtest Security Scanners in my firewall?

Security Scanning is a sensitive issue that sometimes needs to be conducted for applications that are not publicly available. Therefore, Crashtest Security provides a set of static IP addresses to configure your network perimeter to allow the security scanner to access your applications. All requests from the security scanning engine originate from one of these IP addresses.

You can add the following IP addresses within your firewall or load balancer to an allowlist. This enables the security scanner to access your private applications, such as your staging system or internal applications:

34.107.11.19
34.107.25.100
34.107.26.185
34.107.70.133
34.107.89.107
34.107.116.11
35.246.166.174

Here are the IP addresses as a comma-separated list for easier copying into your firewall settings:

34.107.11.19,34.107.25.100,34.107.26.185,34.107.70.133,34.107.89.107,34.107.116.11,35.246.166.174

How should I interpret the error messages during my scans, and what should I do?

If the scan configuration is not done correctly, or there is a problem with one of the scanners, you will receive an error message while the scan runs, or after it finishes. For a detailed list of possible error names you can return, along with suggestions for the following steps to take to try and complete the scan, see How do I troubleshoot scan errors?.

What should I do when I receive error message "Failed to verify the scan targets"?

First, check if the verification file has been uploaded correctly. If this is not the case, ensure the website is accessible to the scanner by the following:

  • The website should be publicly accessible.
  • If protected by a firewall, ensure that the required IP addresses are on your allowlist (check the IP addresses provided previously).
  • The credentials must be first configured when the application has an HTTP Basic Authentication.

What should I do when I receive error message "Scanner could not log in"?

You have to ensure that the website is accessible to the scanner. Check the following actions to make this possible.

  • The website should be publicly accessible.
  • If protected by a firewall, ensure the required IP addresses are on your allowlist (check the IP addresses provided previously).
  • If the application has an HTTP Basic Authentication, check that the credentials are correct.
  • If protected by a login form, ensure that the credentials are correct.
  • If the authentication is token-based, ensure they are valid long enough to run a scan (ideally 24h+).

What should I do when I receive the error message "Scan failed for unknown reasons"?

There might be several reasons causing this error. First, check the following:

  • The application is available.
  • Login credentials are correct.
  • IP addresses are on your allowlist.

If all of these are checked, but are not working, contact Veracode Technical Support.

Why is my scan taking so long?

The full, invasive vulnerability scan might take longer than usual if you have an extensive application or have a vast number of pages. This can also happen if the crawler cannot group the paths to the pages due to their complex structure. Avoid this issue by the following actions:

  • Group your pages in the Grouped URL setting. The pattern for grouping uses the asterisk as a placeholder for parts of the path.
  • Add URLs to the Denied URLs section, so you can reduce the scan scope manually before the start.

If your web application is relatively small and usually scans, this might need an expert review. For assistance, contact Veracode Technical Support.