[PEN-TEST] Disabling WatchGuard scan detection

[Alex Butcher <alex () S3 INTEGRALIS CO UK>]

Hi -

We're working on a vulnerability scan for a customer who's utilizing a
WatchGuard firewall (not sure exactly what type); unfortunately, they
have enabled the automatic scan detection functionality which drops my
scan host into a blackhole for 20+ minutes as soon as I violate one of
the firewall policies. :(

We've tried (with help from WatchGuard!) to make the firewall less
twitchy on the trigger, but it only seems to have made things worse.
We're not a WatchGuard partner, so I'm not much help right now. :C

Anyone got any /concise/ tips on how WatchGuard firewalls should be
configured to as to ignore port scans, policy violations and suchlike?
Note that I'm not talking about adding a rule that allows my scan host
to do *anything*; I just want to be able to assess hosts behind the
firewall accurately. Nmap slow (Sneaky) scans got through initially, but
the changes that have been made since appear to prevent even that...

Thanks in advance for any help offered,
Alex. (yes, I *will* be pointing out the DoS potential in the report -
"Hi, I'm your ISP's DNS and I'm portscanning you!" *kerchunk* *slam*)
--
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE