Vulnerability device scanning block using XG firewall

Question

Once a year for our vulnerability scanning we have a device which is used to probe the internal LAN network to run a vulnerability scan. Having recently installed a Sophos XG firewall we have set the firewall rules so that security heart beat is on and if no heartbeat then block connection. 
 Am I correct in thinking that as this is connected to the LAN and will attempt to make an outgoing connection to the internet in order to start its scan, that this will be blocked by the firewall as an unrecognised device and so should be prevented from making a connection to the internet. 
 My second question is provided that it can run a scan in any case, if it has no heartbeat will the firewall prevent device to device scanning via the switch or as I suspect any probing by the device through the switch would continue unhindered by the firewall and carry on regardless? 
 Thanks 
 Mike

Karlos · Answer

Hi Mike, 
 If this scanner will be plugged into the LAN and needs to go out to the Internet, I suggest creating an exception for this device by creating a firewall rule on top of your firewall rule that requires heartbeat. Source network would be the IP address of the scanner and do not enable Security Heartbeat. 
 As per your second question, device to device scanning will be unhindered by the firewall as long as it is within the same zone/LAN as it shouldn't hit your firewall.