Should security testing (vulnerability scanning, web app pentesting, etc.) be performed through a full protection stack (firewall, IPS, WAF, email filter, etc.), or should the tester’s IP be white listed?
Bottom line: You are highly encouraged to white list the tester’s IP address from any active interference in your protection system(s). The faster we can identify your vulnerabilities, the more thorough we can be, and the cheaper it is for you. Note: In this context, white list means to move the tester’s IP into a policy that still prevents access as intended for a given source, but changes any active protections (ex. IDS/IPS) to a monitor/alert-only mode, as to not prevent interference.
You may be required to do so anyway, depending on various compliance standards you may fall under. The only exception is if you are a vendor seeking testing of a protection product (firewall, IDS/IPS, etc.) you have developed.
More about this topic can be read here: Shields Down Security Testing