To disable security controls for a PCI scanner I have to make at least 2 config changes on the LB. Since IP rep can only be done via Trusted clients and Trusted Clients only allows a single IP/range per config, we must create a config for each IP range of the scanner.

It would be ideal to only have to define the scanner profile once and then in one location, select which controls to disable.

There are two problems with this. First is that takes longer than necessary to accomplish the task, as we're having to replicate the same information in two places. Second, in the future, when the scanner IPs change, we have to remember to make the update in both locations, making it error prone to maintain.

1. IP Rep - can only be done via Trusted Clients - requires one record per IP range

2. Rate Limiting - can only be disengaged via customer rate limiting rule - not via Trusted Clients or Policy in Common Security Controls

3. WAF - can be done via Trusted Clients or Policy in Common Security Controls

Two solution options:

1. Add Rate Limiting to list of controls that can be disengaged via Trusted Clients and Allow multiple IP ranges or a prefix set to be used.

2. Add Rate Limiting and IP Rep to list of controls that can be "skipped" via Policy in Common Security Controls.