I come up against Watchguard Firewalls and these little guys and they are not bad little firewalls for the small to medium size organisations. This is mostly because they have quite a bit enabled by default. One of them is the port scan detection module which locks any IPs when it detects a port scan. One of the problems for pen testers is that it does not have a whitelist so for a client it's either on or off.

When you are performing an infrastructure penetration testing its important to get good reliable port scans. So often we ask customers to turn it off to ensure we capture every open port as often we don't have the luxury of time to allow us to run slow scans to bypass the detection rules. As clients who run Watchguard only have the option of on or off it will most often remain enabled and force the tester to do a slow scan.

After playing with a few different timings to get the best result I found against the default Watchguard settings was the following nmap command to get them done the quickest but without getting my IP blacklisted.

nmap -sS -iL targetlist.txt -P0 -sV -T2

When done with a full port range (-p1-65535) on four IP's it takes 1000 seconds to complete. The -T2 option is the time setting, T1 is the slowest.

(March 2010 - updated due to change in Watchguard default settings)