Should security testing (vulnerability scanning, web app pentesting, etc.) be performed through a full protection stack (firewall, IPS, WAF, email filter, etc.), or should the tester’s IP be white listed?
Bottom line: You are highly encouraged to white list the tester’s IP. The faster we can identify your vulnerabilities, the more thorough we can be and the cheaper it is for you.
You may be required to do so anyway, depending on various compliance standards you may fall under. The only exception is if you are a vendor seeking testing of a protection product (firewall, IDS/IPS, etc.) you have developed.
More about this topic can be read here: Shields Down Security Testing